homelab Help with setting up a Homelab

[mattsibley]

Hi,

I need some help with setting up my home lab. Want I want to do is to have my PC be able to manage Citrix XenServer, with the VMs on a closed host only network. But I am not too sure how to go about it? Would I need to connect the VM's to a pfsense router VM or can I network the VMs directly in XenServer? Also, would I need to hardwire my XenServer to my PC via a switch to enable management of it on the closed network when my pc communicates directly with the router via wifi?

Sorry if this is a bit noobtacular I don't really want to screw this up.

Matt 

[i8igmac]

correct me. You want to setup a network Of vm's and prevent access to the outside world(internet)

 

Setup your vm. Then a few ip table rules to prevent input and output from this vm-subnet-/-to-or-from-/-your-modem.

[digip]

For the lab, the Xen server houses all the vulnerable machines. Which machine is the attacking machine? Is it one of the other VM's or native hardware outside the VM structure? I would put the Xen server and VM machines on a separate rotuer/switch than the main LAN side so they have their own subnet you can play on, and only connect an attacking machine to this subnet when not connected to the main LAN, but that isn't always possible depending on what equipment you have access to and from where you are in respect to connectivity.

Wifi access would be discouraged in my mind just because of it's ability to be broken in some fashion from the outside world, and a wired only air-gapped connection you can plug directly into for this subnet is how I would do it, but that is just me.

At home, I'm just running them all on the same local machine, so I can't even say I'm doing best practices, but I don't have the extra equipment to do it as I would even like myself, which is to not have any machine on the LAN accessible to the Lab machine subnet at the same time it's connected to the LAN side which has WAN access. If you accept the risk, you have to understand that whatever machine on the LAN connects to the Xen subnet, is essentially a pivot point between the two networks. If you're testing malware on these VM's as well, having them escape the sandbox back onto the main LAN is also another reason you'd want them to be air-gapped from the main LAN side of things, but again, more "I'd like this to be this way", but due to my limitations on physical resources, may not be physically possible with the equipment you have access to.

At the end of the day, draw out a diagram of what needs access where, and then decide what parts are acceptable risky connections between parts of your network and decide how to secure those pivot points so they can't be used to traverse the rest of the network(as much as possible, since nothing is truly secure when everything can pivot somewhere else in the mesh)

[mattsibley]

Hi everyone,

 

Sorry work got on top of me for a bit. I know how I am going to go for this. For now, the XenServer is only going to be used to build out a Windows Active Directory Domain to sharpen my 2k12 r2 sills ahead of the exams, then later use that built up domain as a target for m Kali VM. In its current configuration, i won't be doing malware analysis on the system. Thank you, everyone, for your suggestions and help. 

 

Matt