Secure Networking – A Company Network Project on Open-Source

  • Post category:StudyBullet-13
  • Reading time:16 mins read


Build a network project & learn Linux, nftables cluster, NAC, pfSense, pentest, network security, Kali Linux & Wireshark

What you will learn

Learn network security, open networking & Linux engineering in one tutorial

Building up a company-grade segmented network entirely on Unix-like OS

Learn underlying cluster technologies e.g. Keepalived & VRRP on Linux

Project-based learning of configuring firewall clusters on OpenSUSE Linux as well as pfSense

Learn about NAC (802.1X, EAP, EAPoL) using PacketFence to reject or accpet clients on switches

Networking core fundamentals such as Traffic Tagging using VLANs, Trunking, STP, subnetting, LAG, MLAG, etc.

Learn firewall’s core functionalities & be able to work with any firewall, no matter what brand

Initial to advanced configuration of Nvidia Cumulus Linux switches

Learn how head & branch offices securely communicate using IPSec site to site VPN

Practicing network security by segmentation, compartmentalization, & isolation

Learn how to create different VLANs in a company and control their traffic on each other

Setting up Linux based DHCP server to serve IP addresses in different VLANs

Learn network redundency methods e.g. LACP (802.3ad), balance-rr, balance-xor, etc. on Linux, pfSense and Cumulus switch

Learn how to migrate from iptables to nftables

Project-based learning of advanced pfSense firewall features

Project-based learning of packet capture & analysis using Wireshark, TShark, TermShark & TCPDump

Learn about openSUSE, AlpineLinux, Debian, Ubuntu and FreeBSD

Implement IPSec VPN on openSUSE using strongSwan

Configuring openVPN remote access for home office users

Configuring Wireguard remote access for IoT devices (key based authentication)

Learn how to harden SSH logins using two-factor authentication (2FA)

Learn virtualization using VirtualBox and GNS3

Learn most common network attacks and penetration testing technics

Yersinia attack toolkit

Description

When it comes to open-source, the sky is the limit!

In a nutshell, you will build a company-like network with headquarter and branch office on Unix-like OSs and open-source tools, then try to hack its vulnerabilities.

From switches to endpoints, clustered firewalls, servers incl. Network Access Control, shortly NAC server, jumpers, and anything else are all built on a flavor of Linux OS such as openSUSE, AlpineLinux, Debian, Ubuntu, etc., or a Unix-like OS such as FreeBSD.

Network security should be embedded into the nature of the corporate’s network and that is what we learn in this course.

We do not care much about vendors and logos, but practical concepts. For example, we dive into Shell commands, TCP/IP and networking fundamental concepts, and core network security principles using open-source, yet industry-proven products.

We aim to teach you how standard networking concepts are “designed” and are also “applied” in work environments.

Why a pure Linux-based network? Besides the fact that Linux runs the world, if you learn the secure networking using Linux, Unix, and open-source tools, you will feel pretty confident about their commercial equivalents. For example, if you learn network firewalling using iptables and nftables, you won’t have any issues with Cisco FirePower, FortiGate, or Juniper firewalls.

As said, we are not into vendors, we are interested in standardized theoretical concepts and practical technics. This method will give you a firm conceptual understanding of underlying technologies and ideas about how finished products like Cisco switches, Fortigate Firewalls, Cisco ISE NAC, HPE Aruba, and so on, actually work behind the scene.

In the end, you will run the most common network attacks using Kali Linux against the network you built yourself.

Your Learning Key-Terms:

Virtualization

GNS3 Lab (with Hyper-V &Β VirtualBox Integration)

TCP/IP

OSI Model

Network Topologies

IP Subnetting

VLAN

Traffic Tagging

Trunking

NIC Teaming

LAGG (Link Aggregation)

MLAG (Multi-Chassis Link Aggregation)

Bond Modes: Active-Backup, 802.3ad (LACP)

Bridging

Spanning Tree

Inter-VLAN Routing

Routing &Β ARP Tables

MAC Flood

IEEE 802.1X & MAB (MAC Address Bypass)

Network Access Control (NAC)

PacketFence (Open Source NAC)

Extensible Authentication Protocol (EAP) (EAPoL)

RADIUS (FreeRADIUS)

Linux Open Source Networking

Nvidia Cumulus Linux Switch


Get Instant Notification of New Courses on our Telegram channel.


openSUSE Linux

Ubuntu Linux

Alpine Linux

Linux Shell Command Line

Firewalls

Netfilter Framework

Packet Filtering

iptables

nftables

Packet Capture Analysis

Wireshark, TShark, Termshark, and TCPDump

Linux Clustering

keepalived

ConnTrack

Virtual Private Network (VPN)

OpenVPN

strongSwan IPSec (swanctl)

WireGuard

pfSense Firewall (FreeBSD)

pfSense Cluster

Next-Gen Firewall

Demilitarized Zone (DMZ)

Ethical Hacking Network Attacks and Technics

SSH BruteForce Attack

MITM with Mac Spoofing Attack

MITM with DHCP Spoofing Attack

DOS Attack (POD, SYNFLOOD, BPDUs, CDP)

Yersinia

DHCP Starvation

DNS Spoofing

Offensive Packet Sniffing

ARP spoofing, ARP cache poisoning attack

Network hacking

Cyber security

Network Hardening Solutions

English
language

Content

Fundamentals 1: Building up a GNS3 Virtual Lab

Skip this section if…
GNS3 VM & Server, templates for Linux nodes, pfSense, Cumulus & VBox Integration

Fundamentals 2: Networking Basics

Network Topologies – Bus, Ring, Mesh and Hybrid
Network Types – LAN, WLAN, WAN, SAN, MPLS and SDWAN
OSI Network Model vs. TCP/IP Model
Network Protocols and Services
IP Addressing
IP Subnetting
Routing – ANDing, Default, Static, Dynamic Routes
Switching – VLANs, STP, LAG and MLAG
Network Architecture – 3 Tiers vs. Spine Leaf Design

Fundamentals 3: Unix-like OS Basics

50 years of Unix-like heritage: Research Unix, BSD, GNU, Linux and macOS
Part 1: 50 “must-know” shell commands working on any Unix-like OS since 70s
Part 2: 50 “must-know” shell commands working on any Unix-like OS since 70s
Part 3: 50 “must-know” shell commands working on any Unix-like OS since 70s
Part 4: 50 “must-know” shell commands working on any Unix-like OS since 70s
vi basics – a ubiquitous screen-oriented text editor on any Unix-like OS
net-tools and/or iproute2 – Networking tools on any Unix-like OS

Fundamentals 4: Packet Capture Analysis using TCPDump, Wireshark and TShark

Quick-tour of packet capture analysis
Clarifying Wireshark vs. TShark vs. TermShark vs. TCPDump
Why learning packet analysis? A use-case exposing RCE attack payload
Installing Wireshark, Termshark, TShark and TCPDump on Kali Linux
Installing Wireshark and TShark on MS Windows
TCPDump use-cases: credentials, Cookies, headers, URL, remote packet capture
Wireshark interafce walkthrough and possibilities
Wireshark filters, syntax glossary, PCAP investigation, chaining, HTML rebuild
TCP/IP Model revisited in Wireshark
Packet analses with PCAP visualization
Capturing packets on GNS3 links using Wireshark

Company Network Project Kickoff

Project requirements gathering and specifications document
Project’s basic shapes and colour codes in GNS3

Adding Open Source Switches (Cumulus Linux)

Nvidia Cumulus Linux – An Open-Source Linux-based Switch
Headquarter – Creating physical connectivity with spine-leaf design
Headquarter – Adding Alpine Linux clients
Headquarter – Layer 2 Configuration – Interfaces and VLANs – Part1
Headquarter – Layer 2 Configuration – Interfaces and VLANs – Part2
Headquarter – Spanning Tree Protocol (STP) on Cumulus Linux switches
Headquarter – Creating virtual layer 3 interfaces for management VLAN
Headquarter – Configuring Bond interfaces, LAG and MLAG in Cumulus Linux – P1
Headquarter – Configuring Bond interfaces, LAG and MLAG in Cumulus Linux – P2
Branch Office – Network Prepration in GNS3
Branch Office – Switches Trunk & Access ports, VLAN interfaces, Bonds & MLAG

Adding 2 Firewall Clusters: Linux nftables (Keepalived VRRP) & pfSense HA (CARP)

Read me first
Headquarter – Create a custom VM for the openSUSE Linux Server cluster
Headquarter – Change network adapters type to Paravirtualized Network I/O
Headquarter – Creating bond interfaces on openSUSE Linux with LACP mode
Headquarter – Troubleshooting inter-cluster Bond connectivity issues on Linux FW
Headquarter – Configure MLAG on Cumulus switches for firewall cluster bond links
Headquarter – Configure virtual VLAN interfaces on linux firewall cluster
Headquarter – Disable IPv6 on the Linux firewalls
Headquarter – Installing keepalived (VRRP) on both OpenSUSE Linux firewalls
Headquarter – Configuring keepalived (VRRP) for OpenSUSE firewall HA cluster
Introduction to netfilter framework – Part 1
Introduction to netfilter framework – Part 2
Headquarter – Change default policies of iptables chains to explicit drop
Create IPTables service on openSUSE firewall cluster & TShooting the service
Headquarter – Create iptables service on the slave firewall
Headquarter – Providing internet to VLAN 20 using MASQUERADE NAT rules
Headquarter – Configure Linux DHCP Server to assign each VLAN’s own IP range
Headquarter – Start creating Inter-VLAN iptables rules on OpenSUSE FW cluster
Headquarter – Continue creating Inter-VLAN iptables policies on firewall cluster
Headquarter – Creating iptables DNAT rules to publish web server from DMZ VLAN
Headquarter – Restrict & log SSH Brute-force attacks with iptables RECENT module
Headquarter – Visualize iptables rules with gressgraph
Headquarter – nftables basics
Headquarter – Transform iptables rules into nftables & create an nft service, P1
Headquarter – Transform iptables rules into nftables & create an nft service, P2
Headquarter – Restrict SSH Brute-force attacks for 5 minutes with Linux nftables
Branch Office – Installing pfSense machines in GNS3
Branch Office – Reassigning the interfaces and start the initial pfSense config
Branch Office – Configure pfSense interfaces, LAGG, VLAN interfaces and pfSync
Branch Office – Setup pfSense High-Availibity & MLAG between Cumulus and pfSense
Branch Office – Configure pfSense DHCP server for clients and management VLANs
Branch Office – Create aliases in pfSense and add floating & VLAN firewall rules
Branch Office – Create Inter-VLAN rules from Clients and Mgmt to DMZ on pfSense
Branch Office – Setup UFW on Ubuntu Web server in DMZ & test inter-VLAN access
Branch Office – DNAT or Reverse NAT for web server access in DMZ from internet

Adding Open Source VPN technologies using Strongswan IPSec, OpenVPN & Wireguard

Setup Site to Site VPN between OpenSUSE Linux and pfSense using Strongswan – P1
Setup Site to Site VPN between OpenSUSE Linux and pfSense using Strongswan – P2
Troubleshooting Site to Site IPSec VPN between OpenSUSE Linux and pfSense
Preparing OpenVPN server on pfSense – CA server, certificate & export plugin
Setup OpenVPN remote access on pfSense & setup home-office Ubuntu OpenVPN client
Setup WireGuard VPN between OpenSUSE firewall and Ubuntu as remote IoT client

Adding Open Source Network Access Control (NAC) using PacketFence

How NAC works? EAP, EAPoL, RADIUS, dot1x – P1
How NAC works? EAP, EAPoL, RADIUS, dot1x – P2
Installing PacketFence NAC Server on a Debian Linux
Initializing PacketFence Web Configurator
Deplying Network Access Server (NAS) and FreeRADIUS with MAB Profiles
Configure IEEE 802.1X, Parking & Dynamic VLAN assignment on Cumulus Linux Switch

Adding Two-factor authentication (2FA) to SSH servers in management VLAN

Setting up 2FA for SSH server on Ubuntu jump hosts in management VLAN

How secure did we build this network? Let’s pentest it!

Introduction to penetration testing for this project
Reconnaissance of headquarter network using NMAP
Implementing SSH brute force against headquarter using our NMAP findings
ARP Poisoning attack to capture headquarter network traffic e.g. credentials
DHCP starvation attack agains OpenSUSE DHCP server in headquarter (DOS attack)
DHCP spoofing by Yersinia in headquarter to deviate the network gateway and DNS
Enroll for Free

πŸ’  Follow this Video to Get Free Courses on Every Needed Topics! πŸ’ 

Tags: , , , ,