(draft)
This Portable Secure Network design creates a high-grade secure network for meetings. It was developed for a group that needs a Network Security Testing Lab but can be adapted to any purpose where a trusted network is useful to have at your meeting site.
Each meeting organizer keeps a kit that will create a complete network. This serves multiple purposes.
- Development - Any organizer can prepare for the meeting using their copy of the network.
- Redundancy - If an organizer can't make it to the meeting, the network can still be created.
- Expandability - On meeting day gear from multiple kits can be combined to expand capacity.
Internet Connection
The Internet connection can be any type. Wired, wireless, or cellular will all work. Multiple Internet connections can be combined if your router has Multi-WAN capability. VPN service can be used if the upstream network is untrusted.
Note: A Internet connection isn't strictly necessary for a Network Security Lab meeting, but it provides a way for attendees to look up information.
Router
A router provides DHCP and DNS services. It also provides an Internet gateway if there's an Internet connection.
Ideally the network's router is a powerful one that can create multiple LANs and has IDS capability. pfSense, IPFire, OPNSense, and other router distributions are well-suited to this purpose.
Example router: Core i5 retired corporate desktop with 4+ GB of RAM and Intel server-grade network adapters running pfSense.
Minimally the router can just be a good consumer router running third-party firmware (DD-WRT, Tomato, OpenWRT, Merlin-wrt).
Example consumer router: Netgear WNDR4300 V1 running DD-WRT.
Backbone Switch (a.k.a. Core Switch)
A managed Gigabit switch serves as the backbone or core switch. This switch should be as high-grade as possible within your budget constraints.
Devices that connect to the core switch are:
- Router
- Server(s)
- Switches for Client Hosts
- SIEM (optional)
Example core switch: Zyxel GS1900-16 16-port business-grade "smart managed" switch.
Servers
Any type of intranet server can be connected to the backbone switch. A Network Security Lab might have a webserver to serve information, an FTP server to serve files, and some vulnerable servers running as virtual machines.
Switches for Client Hosts
"Client Hosts" in this context means attendees' laptops.
Switches for client hosts use one port for an uplink to the Backbone Switch and many ports for client laptop connections. They need to be located somewhere in the room where attendees can connect their laptops to them.
It's important to avoid cascading (daisy-chaining) of switches. Connect all Client Host Switches, including wireless access points, directly to the backbone switch.
Example switch for hosts: Cisco 2960 26-port switch (2960 on eBay) These inexpensive switches have Gigabit ports for uplinking to the backbone switch and 24 Fast Ethernet ports for client hosts. That works out perfectly.
Wireless Access Points
Wireless Access Points are essentially switches, so they fall into the Client Host Switch category, meaning they connect to the Backbone Switch rather than to another Client Host Switch. Think of a WAP as a switch that converts a wired connection to wireless.
Any consumer wireless router running third-party firmware can be converted into a basic WAP. Fancier WAPs managed by a controller would work better.
For most Security Testing Lab purposes wireless should be avoided entirely, or at least on the main LAN where security tools are being used. Create a separate LAN and enable Wireless Client Isolation on the WAP if Guest Wireless is needed.
Monitoring Host
Traffic on ports connected to the backbone switch can be mirrored to a port where a SIEM host is listening. A SIEM (pronounced "sim") is a Security Information and Event Management system. It's obviously optional.
Much of what a SIEM would do can be done by good router software.
Power Distribution
You'll need enough cords and power strips to provide outlets for the gear and attendees' laptops.
[...]