Re: Lab OS Choices



As I have mentioned, I am buying some 2950s and I have gotten a few
recommendations from people for a CCNA lab, but as far as the PIX and
additional routers what should I work towards getting to have a good
lab? Nothing immediate, but the end result.

- PM

On 8/15/07, Pete Herzog <lists@xxxxxxxxxx> wrote:
Hi,

Over the last 6 years we have studied the differences of tests against
various platforms of virtual and real systems. This has led us to making
the best possible test network we can for the OPST and OPSA certification
exams. What we have found is that there is a large difference between them
on the network packet level but almost none on the application level
(although various application tests do rely on the encapsulating protocol
so YMMV).

What's most important is the the tester's machine is NOT virtual. Because
the low-level problems at packet level do multiply during testing multiple
systems. However for a complete lab set up, make sure your virtual systems
are as close to the OS as possible- kernel level preferably, or else use
the real thing directly on metal. If you will only be doing application
tests, then it probably matters very little and go with your higher level
virtual machines.

One final note, as Jerry mentions, make sure your network devices are real!
Don't try to virtualize networking because it is very complicated and
will look very fake. We tested virtual networks and virtual networking but
such systems could not handle team traffic (low-to-medium traffic) without
producing errors. If you want to virtualize port forwards and simple hops,
you can et away with that between low-level virtualized machines but don't
try to duplicate anything else or else your error rate will compound and
make your analysis practically worthless.

Sincerely,
-pete.


Shenk, Jerry A wrote:
I've found a few tests that worked against virtual machines but did not
work against real machines. I agree, in most cases, there really is no
difference.

I also have some routers in my lab. That way, I can set up egress
filtering between the servers and the attackers in the lab. That will
help you get some realism about some things, particularly local exploits
of machines inside the network (like an Exchange client attack). I
think that also increases your credibility when talking with
clients...for example, "In the lab, we set up egress filtering...blah,
blah, blah...and with the filtering enabled, the remote exploit of the
Exchange client worked in that it crashed the client but it made it much
more difficult to get to a command-prompt on that box." That's not
really part of the pen-test itself but the real goal of the pen-test is
to make the network more secure and it definitely goes toward explaining
to the client how to make their network more secure.



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



Relevant Pages

  • Re: Irresponsible user stories!
    ... know how to set up a lab properly in a college ... Those machines shouldn't be capable of booting from outside media, ... been happening in college computer labs for decades. ... if they don't respect their own network enough ...
    (Debian-User)
  • Re: Lab OS Choices
    ... recommendations from people for a CCNA lab, but as far as the PIX and ... the best possible test network we can for the OPST and OPSA certification ... If you want to virtualize port forwards and simple hops, ... you can et away with that between low-level virtualized machines but don't ...
    (Pen-Test)
  • Re: Irresponsible user stories!
    ... know how to set up a lab properly in a college ... Those machines shouldn't be capable of booting from outside media, ... been happening in college computer labs for decades. ... if they don't respect their own network enough ...
    (Debian-User)
  • Re: Lab OS Choices
    ... What we have found is that there is a large difference between them on the network packet level but almost none on the application level. ... If you want to virtualize port forwards and simple hops, you can et away with that between low-level virtualized machines but don't try to duplicate anything else or else your error rate will compound and make your analysis practically worthless. ... Exchange client worked in that it crashed the client but it made it much ...
    (Pen-Test)
  • Re: Running public IPs inside an RFC 1597 network
    ... DP> I'm running a typical Class C RFC 1597 network in my lab. ... DP> to do is create another network, accessible from my private addresses, ... DP> All the machines in question are running 5.3-STABLE. ...
    (freebsd-questions)