Platform Virtualization

From Network Security Wiki
Jump to navigation Jump to search

Most of the following How-tos use one of the following tools:



Firewalls

The following Firewalls can be virtualized:

Cisco ASA

Files Required:

asa842-initrd.gz
asa842-vmlinuz
Cisco asdm-647.bin
jdk-7u51-windows-i586
3CDaemon TFTP Server

Edit -> Preferences -> Qemu and click the ASA tab

RAM=1024

Qemu Options:

-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

Kernel cmd line:

-append ide_generic.probe_mask=0×01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

To run two ASAs, change the Qemu options on the second firewall as below Qemu Options:

-vnc :2 none -vga none -m 1024 -icount auto -hdachs 980,16,32
activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6

Add a loopback adapter

Run Commands:

config t
int gi 0
ip address 10.10.10.3 255.255.255.0
nameif management
no shut
copy tftp://10.10.10.2/asdm-711.bin flash
config t
asdm image flash:asdm-711.bin
http server enable
http 10.10.10.0 255.255.255.0 management
username aman password cisco privilege 15
wr mem

ASDM Java Error:

Add source network in Exceptions in Java Console


Cisco PIX

  • Install GNS3.
  • Download PIX image from here.
  • Navigate in GNS3 to Edit > Prefrences > Qemu > PIX.
  • Enter the information for the Key and Serial number
  • Point the binary file to the pix image.
  • Set Identifier Name as PIX.
  • Now drag and drop Cisco PIX Firewall into canvas and configure it.


Juniper SRX

You can virtualize SRX 12.1X46-D10.2 firewall as follows:

Using VMPlayer

  • Download Firefly VMware Appliance from Juniper.net
  • Install VMware Player.
  • Import the VM into VMware player.
  • Allocate 2 CPUs.
  • Set the RAM as at least 1024 MB.
  • Check the Network interfaces and config.
  • Start the VM and proceed with quick start wizard.

Using VirtualBox

source

  • Download Firefly OVA file from Juniper.net
  • Extract contents of OVA file using 7-zip
  • Convert the vmdk virtual drive to vdi:
"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" clonehd -format VDI junos-vsrx-12.1X46-D25.7-domestic-disk1.vmdk junos-vsrx-12.1X46-D25.7-domestic-disk1.vdi
  • Create VM in VirtualBox:
   General:
       Name: base-vSRX
       Type: Linux
       Version: Other Linux (32bit)
   System:
       Memory: 1024MB
       CPU: 2  (very important as 1 CPU will not load Gig interfaces)
       Enable PAE/NX
       Enable I/O APIC
       Enable VT-x/AMD-v
       Enable Nested Paging
   Hard Drive: IDE Primary master
       Use an existing virtual hard Drive file (Choose junos-vsrx-12.1X46-D25.7-domestic-disk1.vdi)
   Network: (You can choose if you want each interface to be NAT, BIND, LocalHost, etc.)
       Enable all 4 adapters and set the ‘Adapter Type’ to ‘Paravirtualized Network (virt-io net)’
   Audio:
       Off
   Serial Ports:
       Enable Serial Port 1
       Port Number: COM1
       Port Mode: Disconnected
  • Boot up the VM. The default login is ‘root’ with no password.

Using GNS3 and Qemu to Cluster

Source: gns3.net & brezular.com

Versions:

GNS3: 1.2.3
Qemu: 2.1.0 i386w
Firefly: 12.1X46-D10.2
  • Download Firefly OVA file from Juniper.net
  • Extract contents of OVA file using 7-zip.
  • In GNS3 go to Preferences > Qemu and set path to qemu to the latest version.
  • Use qemu-system-x86_64 on 64-bit System or qemu-system-x86 on 32-bit System.
  • Make a new JunOS guest:
Select Binary image as the VMDK file
RAM: 1024
NIC: 10
NIC Type: e1000
Qemu options:  -smp 2 -device vmxnet3
Use KVM if supported
  • Save the Qemu VM.
  • Drag and drop the same image in GNS3 Canvas 2 times to generate two vSRX devices with different MAC addresses.
  • Add Switches as per requirement.
  • Connect the cables as per Juniper Guide lines.
  • Continue with HA config as per Rtoodtoo.net


Checkpoint

This section will help setup a fully operational Checkpoint firewall in a Virtual machine for 15 days for you to evaluate.

  • Install VirtualBox.
  • Download Check_Point_R75.Splat.iso from Checkpoint.com
  • Create a new VM.
  • Boot the VM using the above ISO file.
  • Follow the on screen installation instructions.
  • Install Security Gateway, Security Management, SmartEvent and SmartReporter Suite, Management Portal products.
  • Reboot the VM and access the WebUI from the IP address provided during installation.
  • Download the Checkpoint management software and install it in windows host.


Endian Firewall

Endian Firewall Community Edition is an open source firewall which can be installed on any PC or VM. It is one of the best firewalls' for freshers/newbies to start learning Security/Firewall basic and understand the concepts like Zone, VPN, DHCP, Webfiltering, etc.

  1. Download the community edition of Endian Firewall from Endian.com
  2. Install VirtualBox and create a new VM.
  3. Mount the ISO file as a CDROM in VM.
  4. Boot the VM from this ISO.
  5. Install the EFW with the installation wizard.



IPS

Two common IPS systems are virtualized as follows:

Cisco IPS

   Question.png     This section needs verification or testing!

Cisco IPS 4235 ver 6.0:

  • Download the IPS v6.0 Disk image (disk1 and disk2) and extract them.
  • Download JRE6update7.
  • In GNS3, go to Edit> Preferences> Qemu> IDS and configure the following:
 Browse the Disk 1 & Disk 2 locations.
 RAM : 1024 MB
 NIC Model: e1000
 Qemu Options : -smbios type=1,product=IDS-4235
 Press Save then OK
  • Start the VM. Now use the IDS with the following credentials:
username: cisco
password: ciscoips4215 
  • To manage through IME download Cisco IPS Manager Express (IME) 7.1.1


Snort

Please refer the dedicated Snort page.

GNS3

Manual Installation

Installation:

sudo apt install python3-pyqt5 python3-pyqt5.qtsvg python3-pyqt5.qtwebsockets
sudo pip3 install gns3-gui
sudo pip3 install gns3-server

Run GNS3:

gns3

Install via PPA

  • Create a new VM with 1 GB RAM & 12 GB HDD.
  • Add 4 Interfaces to it. You will not be able to add them later-on due to a bug, so add sufficient at this stage
  • Install Ubuntu Server edition 16.04
  • Install gnome-shell(~187 MB) for the GUI
sudo apt-get install gnome-shell gnome-terminal
  • Add the GNS3 repository
sudo add-apt-repository ppa:gns3/ppa
sudo apt-get update
sudo apt-get install gns3-gui

Autostart in Ubuntu

  • Add the IOS files to this server using SFTP
  • Create a project and save it
  • Drag a cloud and use Generic Ethernet NIO to connect the router interfaces to outer world
  • Now edit interfaces file
sudo nano /etc/network/interfaces
  • Add remaining interfaces to this file
auto eth1
iface eth1 inet manual
auto eth2
iface eth2 inet manual
auto eth3
iface eth3 inet manual
  • Reboot and check if they appear in the ifconfig output
ifconfig -a
  • Select auto login for the user from gnome user settings page.
Auto Login user.png


  • To enable the project auto start on GNS3 launch, Edit the .gns3 file with a text editor and change auto_start to true.
Autorun gns3 project.png


  • Add the GNS3 autostart on bootup, put a .desktop file in ~/.config/autostart to run applications after a user login:
[Desktop Entry]
Type=Application
Name=GNS3
Exec=gns3 --config /home/aman/.config/GNS3/gns3_gui.conf /home/aman/GNS3/projects/GNS3_Router/GNS3_Router.gns3
Icon=
Comment=
X-GNOME-Autostart-enabled=true
  • If the autostart fails & you find DBUS ERROR in logs, then run the below command:
dbus-launch --exit-with-session gnome-session
  • If you still get errors for interfaces being down, check the GNS3 logs.
  • In case you find authentication failure errors in Server logs, check the GNS3_Server & GNS3_GUI logs & copy-paste the correct credentials.

Misc

Other platforms that can be virtualized are as follows:

Slax Router

  • Download the latest ISO file from sourceforge.net
  • Create a VM with 128 ~ 256MB RAM.
  • Add more Virtual network interfaces.
  • Boot the VM with the ISO file.
  • Login into the console using root:toor credentials.
  • Now enter command "slaxrouter-install" to begin HDD install.
  • Select the partition.
  • Define Swap memory if required.
Preparing Webmin
  • Edit /etc/webmin/miniserv.conf to disable ssl or to change port.
  • Restart webmin service.
Interface config
  • Run the following command to edit rc.local file
vim /etc/rc.d/rc.local
  • Paste the following lines there using VIM (v to select, y to copy, p to paste)
# if eth0 interface exist
if [ `ls /sys/class/net | grep eth0` = "eth0" ]; then
   ifconfig eth0 10.107.88.69 netmask 255.255.255.224
   route add default gw 10.107.88.65
   ifconfig eth1 1.1.1.1 netmask 255.255.255.0
   ifconfig eth2 4.4.4.1 netmask 255.255.255.0
fi

Running OSPF in Slax using Zebra

Source: openmaniak.com, techrepublic.com

Slax v0.4 was used for below steps:

Log into Quagga directory

root@10:~# cd /etc/quagga/
root@10:/etc/quagga# ls
bgpd.conf.sample  bgpd.conf.sample2  ospf6d.conf.sample  ospfd.conf.sample  ripd.conf.sample  ripngd.conf.sample  vtysh.conf.sample  zebra.conf.sample

Copy the sample files to create new config files for zebra & ospfd

Zebra.conf is used to declare interfaces
ospfd.conf is used for OSPF configuration
root@10:/etc/quagga# cp zebra.conf.sample zebra.conf
root@10:/etc/quagga# cp ospfd.conf.sample ospfd.conf

Edit the zebra.conf file as below:

! -*- zebra -*-
!
! zebra sample configuration file
!
! $Id: zebra.conf.sample,v 1.1 2002/12/13 20:15:30 paul Exp $
!
hostname Router
password zebra
enable password zebra
!
! Interface's description.
!
!interface lo
! description test of desc.
!
interface eth1
ip address 2.2.2.1/24
! multicast
!
interface eth2
ip address 3.3.3.1/24
!
! Static default route sample.
!
!ip route 0.0.0.0/0 203.181.89.241
!

log file /var/log/zebra.log

Edit the ospfd.conf file as below:

! -*- ospf -*-
!
! OSPFd sample configuration file
!
!
hostname ospfd
password zebra
enable password zebra
!
router ospf
  network 2.2.2.0/24 area 0
  network 3.3.3.0/24 area 0
!
log stdout

Now start the zebra process using below script:

root@10:/etc/quagga# /etc/rc.d/rc.zebra start
Starting Zebra daemon: /usr/sbin/zebra -d
Starting OSPF daemon with OSPF-API enabled: /usr/sbin/ospfd -a -d

If you are not able to telnet to the Routers, check the below log file for the dir related error

root@10:/etc/quagga# cat /var/log/zebra.log
2017/05/17 10:54:42 ZEBRA: Can't create pid lock file /var/run/quagga/zebra.pid (No such file or directory), exiting

If you see the same error, create the quagga directory:

root@10:/etc/quagga# mkdir /var/run/quagga

Now restart the Zebra process

root@10:/etc/quagga# /etc/rc.d/rc.zebra restart
Stopping quagga daemons
Starting Zebra daemon: /usr/sbin/zebra -d
Starting OSPF daemon with OSPF-API enabled: /usr/sbin/ospfd -a -d

Now you should be able to Zebra process running:

root@10:/etc/quagga# cat /var/log/zebra.log
2017/05/17 10:54:42 ZEBRA: Can't create pid lock file /var/run/quagga/zebra.pid (No such file or directory), exiting
2017/05/17 10:55:17 ZEBRA: Zebra 0.99.11 starting: vty@2601

Port Information for routing Daemons:

zebra:  2601
ripd:   2602
ripng:  2603
ospfd:  2604
bgpd:   2605
ospf6d: 2606		

Now you should be able to log into both the Zebra and OSPF routers:

root@10:/etc/quagga# telnet localhost 2601
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Hello, this is Quagga (version 0.99.11).
Copyright 1996-2005 Kunihiro Ishiguro, et al.


User Access Verification

Password:
Router>
Router>
Router> exit
Connection closed by foreign host.
root@10:/etc/quagga#
root@10:/etc/quagga#
root@10:/etc/quagga# telnet localhost 2604
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Hello, this is Quagga (version 0.99.11).
Copyright 1996-2005 Kunihiro Ishiguro, et al.


User Access Verification

Password:
ospfd>
ospfd>
ospfd> exit
Connection closed by foreign host.
root@10:/etc/quagga#

To autostart Zebra at startup, edit below file and paste:

vim /etc/rc.d/rc.local
#Start Zebra
/etc/rc.d/rc.zebra start

Juniper NSM

   Ambox notice.png     Performance of NSM is extremely low in a Virtual Machine. It is very slow to boot.

Source: Packetfail

To Install Juniper NSM 2012.2R9 in Virtualbox, you need following:

1. Create a VM in Virtualbox with at least 2.5GB free RAM & 25GB HDD space.

2. Download the following files:

CentOS-6.6-i386-minimal.iso
nsm2012.2R9_servers_linux_x86.sh
nsm2012.2R9-systemupdate-linux.zip

3. Install CentOS in the VM by mounting above ISO file. On the customize selection page, ensure everything but ‘base’ is unchecked. Reboot after installation:

sudo reboot

4. Disable iptables

/etc/init.d/iptables stop
chkconfig –level 12345 iptables off
/etc/init.d/ip6tables.stop
chkconfig –level 12345 ip6tables off

5. Update the system to appear to be RHEL5

vi /etc/redhat-release

Delete everything & paste:

"Redhat Enterprise Linux Server release 5″

6. Disable selinux:

vi /etc/selinux/config
Set SELINUX=permissive

7. Move the two NSM related files to VM. Unzip the systemupdate file and remove the archive for ES5, and extract the archive for ES6:

yum install gnupg rsync xorg-x11-font-utils vim http
sh /var/tmp/es5/rhes6.sh

8. Unzip the NSM installer and there will be a very large .sh script

sh /var/tmp/nsm2012.2R9_servers_linux_x86.sh -niAPPLIANCE=n

9. Note all the password. Set the super user's password also as it will be required for Client login. In case the password is not known/set, Stop all services and run the following command to set the password as "netscreen":

/usr/netscreen/GuiSvr/utils/.xdbUpdate.sh /usr/netscreen/GuiSvr/var/xdb admin 1 0 /__/password "glee/aW9bOYEewkD/6Ri8sHh2mU="

10. Open a web browser to https://x.x.x.x:8443 and download the client.

Note
  • Mount ISO Files:
mount /dev/cdrom /mnt/cdrom
  • Enable network interfaces on bootup:
vi /etc/sysconfig/network-scripts/ifcfg-eth0


Juniper Space

Source: rtoodtoo.net

  • Download the latest ova image(Space-14.1R2.9) from juniper.net
  • Download the Security Director(14.1R2.6) release compatible with the platform release from juniper.net
  • Deploy the Space Platform OVA file as usual like any other VM.
  • 8GB RAM is required for the VM.
  • Power on the VM and get into the console. Credentials are admin:abc123. Change the password.
  • Then accept the default installation type Space Platform.
  • Configure the network settings.
  • Now set the GUI IP address and NTP server.
  • Then type the display name. This is used as the fabric node name.
  • Set maintenance password which is used for upgrade and other maintenance operations. It is different than admin password.
  • Once applied the changes, daemons will be restarted and it will take some time to complete.
  • By choosing option 7 and providing admin password, will drop to the Linux shell.
  • Now SSH connection to the Box will be successful.
  • Web user is super and initial default password is juniper123.

Deploying Security Director

Now to deploy the security director, Go to Adminitration->Applications->Add Application Then select “Upload via HTTP” and upload the security director image you downloaded. A job will be created and application name (Security Director) will appear in the list after a while. Once it appears, click install Once it finishes,there will be 3 new applications. From the left drop down list, by selecting Security Director you can switch to SD’s screen.

Juniper UAC

Please follow the following steps:

  1. Download DTE or SPE edition for KVM or VMWare from juniper.net
  2. Unzip the Zip file.
  3. Install VMPlayer.
  4. Select the Open VM option.
  5. Browser the unzipped folder location & select the OVF file.
  6. Start the VM.
  7. Follow on screen instruction to start the UAC.
  8. Open https://x.x.x.x/admin to open the WebUI of the UAC.

Note:

DTE: Demonstration and Training Edition
SPE: Service Provider Edition

WAN Emulator

Tutorial: openmaniak.com

  • Download WANem ISO file from Sourceforge.net.
  • Create a VM with around 640MB RAM.
  • Add 1 or 2 Network Interfaces depending upon your scenario.
  • Mount the ISO in VM.


Scenario 1 - Client and Server in Single Subnet
Wanem1.png
  • Add a single Network Interface to VM.
  • Boot the machine.
  • Press n for the DHCP prompt.
  • Select eth0 Interface and assign it the IP & Gateway addresses.
  • Run this command on Client
route add 192.168.1.1 mask 255.255.255.255 192.168.1.3
  • Run this command on Client
route add 192.168.1.2 mask 255.255.255.255 192.168.1.3
Scenario 2 - Client and Server are in different Subnets
Wanem2.png
  • Run this command on Client
route add 10.1.1.2 mask 255.255.255.255 192.168.1.3
  • In WANem console enable NAT on the desired network interface
nat add eth0
  • Confirm NAT by this command
nat show
Managing WANem
WANem WebUI
  • Access the VM WebUI at

http://192.168.1.3/WANem

  • There are two modes
Basic mode    - Simple WAN Emulator with Bandwidth and Delay features
Advanced mode - Contains more complicated features like Loss, Jitter, Duplication, Reordering, Corruption, etc
  • Jitter – Real networks show variation in delay.
  • If delay is 100ms and Jitter is set to 10 ms, the delay applied is 100 + 10 ms or 100 – 10 ms in random.
  • Correlation – It is a measure of the dependency of the delay applied on the next packet to that on the previous packet.
  • If a correlation value of 25 % with delay and jitter to be 100ms and 10 ms respectively, the delay applied to the next packet is 100 (+/-) 10 ms depending 25% to that applied to the previous packet.

Persistence in WANem

Source: superuser.com
Source: ogris.de
  • Download WANem LiveCD ISO (3.0 beta 2
  • Create a VM with following spec:
Hard Disk: 4GB
RAM: 384MB
CPU: 1
3 interfaces:  1 for mgmt(optional), 2 for traffic
  • Boot the VM
  • Open the terminal, you will get the below prompt:
WANemControl@PERC> 
  • Type the command to get the root shell access:
exit2shell
  • Run the command:
0wn
  • Click "Accept and Continue" twice to the warnings.
  • Leave "auto" selected for partitioning, click "OK"
  • Click "Yes" when prompted to start automatic partitioning (1GB of swap, 3GB for the root filesystem)
  • Click "Yes" when prompted to use all of /dev/sda
  • You will get "Automatic partitioning failed", but it actually succeeds (This is because it gets auto-mounted)
  • Leave /dev/sda2 selected and click "OK" when prompted to select a partition

0wn will now copy files to the disk (this will take a while).

  • Click "OK" when prompted to install Grub
  • Leave "mbr" selected and click "OK", then "Yes" to confirm
  • Click "Yes" to reboot the machine.
  • The VM will reboot, then you will see Grub, and boot process
  • Now you will get a WANemControl@PERC> prompt but no GUI or desktop
  • Or nothing will appear except for the cursor.
  • Whether you see prompt or not, type the follwoing command to get persistence VM
startx

Persistence of WANem Config

  • Perform the WANem config from WebUI
  • Save the WANem Config file as "netenstate.txt"
  • Edit rc.local file:
vim /etc/rc.local
  • Add the following line:
/etc/startup.sh
  • Now edit this file
vim /etc/startup.sh
  • Copy & paste the commands from the above saved "netenstate.txt" file to this script file
  • In case you want to have a GUI desktop by default add below command to the end
startx
  • Make this file executable:
chmod +x /etc/startup.sh
  • Reboot to test the config

Network Mode

Bridge setup
  • Edit /etc/network/interfaces and add the following lines:
auto br0
iface br0 inet static
       address 192.168.0.20
       netmask 255.255.255.0
       gateway 192.168.0.1
       bridge_ports all
       bridge_fd 0
       bridge_stp off
  • Now you need to restart the Networking service at startup to bring the br0 up:
cd /root/.config/autostart/
vim NWRestart.desktop
  • Type in the below lines:
[Desktop Entry]
Type=Application
Name=Network-Restart
Exec=service networking restart
Icon=
Comment=
X-GNOME-Autostart-enabled=true
Routing setup
  • If you want to run WANem as a router, do not add the above config regarding br0 to /etc/network/interfaces. Instead insert the following lines:
auto eth0
iface eth0 inet static
        address 192.168.0.20
        netmask 255.255.255.0
        gateway 192.168.0.1
auto eth1
iface eth1 inet static
        address 192.168.1.20
        netmask 255.255.255.0
  • Now to enable IPv4 Forwarding
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
  • Now you need to enforce this forwarding on startup:
cd /root/.config/autostart/
vim sysctl.desktop
  • Type in the below lines:
[Desktop Entry]
Type=Application
Name=SysCtl
Exec=sysctl -p
Icon=
Comment=
X-GNOME-Autostart-enabled=true



WanEM alternative

Related: cyberciti.biz

In case you do not want to run a dedicated VM for Wan Emulator, run the below commands on any existing Linux Machine e.g. Slax Router:

vim /etc/rc.d/rc.local
sudo /sbin/tc  qdisc add dev eth1 root handle 1: netem  delay 20ms 4ms 25% reorder 1% 25% loss 2% 25% duplicate 1% 25% corrupt 2%
sudo /sbin/tc  qdisc add dev eth1 parent 1:1 handle 10: htb default 1 r2q 10
sudo /sbin/tc  class add dev eth1 parent 10: classid 0:1 htb rate 2097kbit ceil 2097kbit

Slax router do not have sudo command so remove it:

/sbin/tc  qdisc add dev eth2 root handle 1: netem  delay 20ms 4ms 25% reorder 1% 25% loss 1% 25% duplicate 1% 25% corrupt 1%
/sbin/tc  qdisc add dev eth2 parent 1:1 handle 10: htb default 1 r2q 10
/sbin/tc  class add dev eth2 parent 10: classid 0:1 htb rate 2097kbit ceil 2097kbit

Tiny Core Linux

A Linux VM which will act as a minimal PC for Networking Labs.
An absolute minimum of RAM is 46mb.
A recommended configuration - Pentium 2 or better, 128mb of ram + some swap.
If you want the VM to have IP address temporarily assigned only or want it to use DHCP for IP address, you can directly boot the ISO file in the VM.
But if you want the VM to retain the IP address persistently, then follow the below process.

  • Download the CorePlus(~86 MB)ISO file from tinycorelinux.net
  • Create a new VM with 256MB RAM.
  • Install the OS from the ISO.
  • Boot into the VM.
  • Edit bootlocal.sh file:
vi /opt/bootlocal.sh
  • Add following lines:
sleep 5
sudo ifconfig eth0 1.1.1.2 netmask 255.255.255.0 broadcast 1.1.1.255
sudo route add default gw 1.1.1.1
sudo echo nameserver 4.2.2.2 > /etc/resolv.conf
  • Save changes to disk:
sudo filetool.sh -b
  • Reboot


Installing Packages

Source: tinycorelinux.net

You can install packages using below command

tce-load -wi pkg

Install Iperf3:

tce-load -wi iperf3

To search for available packages:

tce-ab 

You can get list of available packages from these links:

ftp://distro.ibiblio.org/tinycorelinux/
ftp://distro.ibiblio.org/tinycorelinux/8.x/





blog comments powered by Disqus