CYBERSECURITY DETECTION & MONITORING LAB:- Part Two

PFSENSE & NETWORK INTERFACES SETUP

Introduction

Welcome back to the blog series, ‘Cybersecurity Detection and Monitoring Lab’. Find the link to part one of the lab where we introduced the lab and its components.

Today, we embark on installing and setting up pfSense, our network security guard. Specifically, we will complete the initial configuration required of the network interfaces in pfSense to onboard the network segments that make up our lab.

Below is an image of our lab network topology that we will as a reference throughout this blog series.

Setting up the pfSense Virtual Machine

• Go to VirtualBox and click on ‘New’ to create a new Virtual Machine (VM).
• For the name, type in ‘pfSense’, then for the iso image select the downloaded pfSense iso image.
• Type will be ‘BSD’ and the version should be ‘FreeBSD(64-bit)’. Then click on ‘Next’.

· Give the new VM 2GBs of RAM, then proceed to click on ‘Next’.

· Allocate a disk size of 16GB and click ‘Next’. Then proceed to ‘Finish’.

· Click on the pfSense VM then select ‘Settings’.

· Go to ‘Network’ to enable the 6 virtual network adapters as per our lab requirements i.e. NICs for following the VMs:

1. Bridged Adapter to access the internet.
2. Kali Linux Attack Machine (LAN interface to access pfSense and configure firewall rules)
3. Victim Network with the vulnerable machines
4. Security Onion
5. Span Port
6. Ubuntu Desktop Cybersecurity Analyst VM.

· Notice that VirtualBox has 4 network adapter tabs to configure in the GUI. However, you can add up to 8 network interfaces on any VM. Configure the 4 network adapters as follows:

• For Adapter 1, set as the image below.

• For Adapter 2, set as the image below. Take note of the ‘name’ value detect-and-monitor-LAN as this is what distinguishes our vLANS. Then click ‘ok’ once done.

• For Adapter 3, set as the image below. Take note of the ‘name’ value detect-and-monitor-lab-Analyst-VLAN. Then click ‘ok’ once done.

• For Adapter 4, set as the image below. Take note of the ‘name’ value detect-and-monitor-SecOnion-VLAN. Then click ‘ok’ once done.

· Following the Oracle VM VirtualBox documentation, section 8.10 https://www.virtualbox.org/manual/ch08.html#vboxmanage-modifyvm, we will have to use the VirtualBox CLI — ‘VBoxmanage.exe’. Proceed with the following steps to add the next two adapters to our pfSense VM:

• Navigate to where VirtualBox is installed on your computer. In my case, it’s in the ‘C:\Program Files\Oracle\VirtualBox’
• Right-click on the window and select ‘Open in Terminal’. PowerShell will open which I highly recommend.
• Type the command: ‘.\VBoxManage.exe to see the general usage options for the vboxmanage.exe CLI.

• We need to add the VM Name, Next Interface ID and Network name. For my case, me details are as follows:

1. VM-Name: pfSense
2. Next Interface ID: 5 (for Adapter 5) and 6 (for Adapter 6)
3. Network Name: detect-and-monitor-lab

• Proceed to add the interfaces by running the following commands.

1. For Adapter 5:

2. For Adapter 6:

· Go to ‘Audio’ and disable it.

· Go to ‘USB’ and disable it.

• Select the pfSense virtual machine and click ‘Start’ to begin the installation.
• Accept’ the Copyright and Distribution Notice.
• Click ‘ok’ to install pfSense.

• Click ‘ok’ to select the default Partitioning.
• Press ‘Select’ to continue with the default ZFS Configuration: configure options.

• Click ‘Select’ to proceed with the partition.

• Choose Stripe — No redundancy since we are installing pfSense on a single disk and click ‘ok’.

• Use your space bar such that an asterisk (*) denotes the selected disk and select ‘ok’.

• Select yes on the next screen. Use arrow keys.

• The installation process will begin.

• The installation will complete and a screen requesting you to reboot will appear.

• Remove the iso installation file from VirtualBox before you reboot the VM otherwise, you will be led to the initial steps of the installation. To do so:

1. Click on ‘Devices’ on your VirtualBox menu.
2. Go to ‘Optical Drives’ and select ‘pfSense iso image’.
3. Then select ‘Force Unmount’.

• Press ‘enter’ to reboot the virtual machine.
• Then type exit to complete the reboot.
• Ignore the errors below and reset the virtual machine by clicking on Machine then Reset on the VirtualBox menu.

• Once the machine has rebooted, you’ll get a prompt that asks ‘Do you want VLANs set up now[y|n]?’ Choose n.
• Proceed to enter the name for the WAN interface as follows and press enter.

• Enter the LAN interface name as below, then enter the remaining interface names following the same format.

• This should be the result. Type ‘y’ to confirm your naming configuration.

Configuring the pfSense Interfaces

As per the image below, two interfaces will have IP addresses: the WAN interface will pull an IP address from your network (in my example 192.168.100.36/24) and the LAN interface will have a Default LAN IP address space 192.168.1.1/24. The other interfaces will not have IP addresses. We will configure IP addresses for the other VMs in the next steps.

a) Configure the LAN interface (Kali Linux Attack VM)

• Despite the LAN interface having an IP address, we want to set up some more settings on it such that Kali can access the pfSense web configurator.
• Enter option ‘2’.

• Enter option ‘2’ to select the LAN interface.
• Enter ’n’ not to configure IPv4 via DHCP. This is already taken care of by the WAN interface.

• Enter the new IP address ‘192.168.1.1’.
• Enter the subnet mask bits ‘24’.

• Proceed to press enter. This is a LAN.
• Enter ’n’ since we will not be using IPv6.
• Press Enter for no IPv6 address.
• Enter ‘y’ to enable the DHCP server on LAN.
• Enter the start address ‘192.168.1.11’.
• Enter the end address ‘192.168.1.200’.

• Enter ’n’ not to revert to HTTP as the webConfigurator protocol. We want to keep using TLS.
• As per the screenshot below, we will be able to access the WebConfigurator via the url shown i.e. ‘https://192.168.1.1/

• Press <ENTER> to continue.

b) Configure the OPT1 interface (Security Analyst VM)

• Enter option ‘2’.

• Enter option ‘3’ to select the OPT1 interface.

• Enter ’n’ to configure the address statically.
• Enter the network address.
• Enter subnet mask bits.

• Proceed to press enter. This is a LAN.
• Enter ’n’ since we will not be using IPv6.
• Press Enter for no IPv6 address.
• Enter ’n’ to enable the DHCP server on LAN.
• Enter ’n’ not to revert to HTTP as the webConfigurator protocol.

• Press <ENTER> to continue.

c) Configure the OPT2 interface (Security Onion VM)

• Enter option ‘2’.

• Enter option ‘4’ to select the OPT2 interface.

• Enter ’n’ to configure the address statically.
• Enter the network address.
• Enter subnet mask bits.

• Proceed to press enter. This is a LAN.
• Enter ’n’ since we will not be using IPv6.
• Press Enter for no IPv6 address.
• Enter ’n’ to enable the DHCP server on LAN.
• Enter ’n’ not to revert to HTTP as the webConfigurator protocol.

• Press <ENTER> to continue.

d) Configure the OPT3 interface (Victim Network)

• Enter option ‘2’.

• Enter option ‘5’ to select the OPT2 interface.

• Enter ’n’ to configure the address statically.
• Enter the network address.
• Enter subnet mask bits.

• Proceed to press enter. This is a LAN.
• Enter ’n’ since we will not be using IPv6.
• Press Enter for no IPv6 address.
• Enter ’n’ to enable the DHCP server on LAN.
• Enter ’n’ not to revert to HTTP as the webConfigurator protocol.

• Press <ENTER> to continue.

e) Configure the OPT4 interface (SPAN Port)

We’re going to leave OPT5 without an IP address because it’s going to have traffic from the Victim network that Security Onion will be monitoring.

pfSense final interface configuration

The interfaces and IP addresses should now look like this:

We’ve now successfully installed our firewall and created the network segments within it. Next, we need to set up our ‘control’ machines i.e. the Kali Linux Attack Machine used to configure pfSense and the Security Analyst VM. Catch this in the next episode here: part three. Happy Learning!