security Penetration Testing in Safe Environment (Safe Internet Connection)

[youkergav]

Hello.

I am new to this forum so if this thread needs to be moved somewhere else, please let me know. Sorry in advance.

I have built a hacking lab for testing purposes. I have a target router which leads to a MitM device and a switch. The switch connects two target machines and a hacking machine.
I want to supply internet access to the two target machines by connecting the router to my main router, thus giving it internet access (currently the router is not supplying internet).

I have heard it is a bad idea to give labs internet access (for obvious reasons). Is there a safe and secure way of doing this that doesn't raise a high/moderate change of comprising the network outside of my hacking lab?
I have heard of people using VPNs to secure their network. I just haven't really seen it done in this aspect.

Any advice in doing this would be super great!
Thanks.

[digininja]

It depends on what type of testing you are doing. The big thing you want to avoid is allowing the outside world get access to your machines so as long as you don't set up NAT or PAT pointing back in then that should be taken care of by default.

For a basic lab for testing things like MitM or exploitation then I don't see there being any problem with giving the lab connectivity. If you are playing with worms or testing malware then that is the type of thing that could get out and cause problems so obviously you want that in a locked down environment.

[Rainman_34]

Like digininja stated there is nothing wrong with having your lab on the network.  I will say though that I have a second router connected to my main router that uses a hidden SSID.  This router then is the network which contains my lab network so they are on a separate subnet than my home subnet. I can then VPN into my server on my lab network and the only computers on that network are the lab computers.  This way should someone get into my VPN by some freak incident they are only exposed to my lab network and not my home network.  Then to top things off the only port open on my external router is my VPN port which is changed to an obscure port number to prevent anyone scanning the router from knowing what is on it.  Then my VPN server also hosts a web server which is not exposed to the outside network.  This web server contains various steps that one must take to then startup an SSH server or VNC or FTP server for my server computer when I am away.  If someone is able to figure out all of these steps and get into my lab network and then get figure out the steps to start my other servers on it I'm screwed anyway.

[digininja]

You realise you are digging up a three month old post here?

[Rainman_34]

I do realize that but I think some topics are still pertinent and thought my response could be helpful to others who may see the topic. I apologize if this is not appropriate.