Introduction
In today’s hyper‑connected world, network security is no longer a luxury—it’s a fundamental requirement for any organization that wants to protect its data, maintain trust, and stay compliant with regulations. Lab 19‑1 of the Live Virtual Machine (LVM) series gives students a hands‑on environment to implement and test core network security measures on a virtual network that mimics a real‑world enterprise. That said, by the end of the lab, participants will have configured firewalls, hardened host operating systems, deployed intrusion detection/prevention systems (IDS/IPS), and verified that traffic flows securely across segmented subnets. This article walks through every step of the lab, explains the underlying concepts, and provides practical tips that you can apply to your own networks Most people skip this — try not to..
Lab Overview
| Component | Purpose | Key Tools |
|---|---|---|
| Virtual Machines (VMs) | Simulate servers, workstations, and security appliances | VMware Workstation / VirtualBox |
| Virtual Switches | Create isolated LAN segments (DMZ, internal, management) | vSwitch, VLAN tagging |
| Firewall | Enforce packet‑filtering rules between zones | pfSense, iptables |
| IDS/IPS | Detect and block malicious traffic | Snort, Suricata |
| Hardening Scripts | Apply baseline security configurations | CIS Benchmarks, PowerShell DSC, Ansible |
| Monitoring | Collect logs and generate alerts | ELK stack, Syslog-ng |
The lab follows a progressive approach: start with a baseline insecure network, introduce security controls one by one, and finally test the effectiveness of each control using simulated attacks.
Step‑by‑Step Implementation
1. Build the Virtual Topology
-
Create three virtual switches:
- VLAN 10 – Management (only for admin workstations and the firewall console)
- VLAN 20 – Internal (corporate workstations, file servers)
- VLAN 30 – DMZ (web server, public‑facing services)
-
Deploy the following VMs:
- FW‑01 – pfSense firewall with three NICs (one per VLAN)
- WEB‑01 – Apache web server in the DMZ
- DB‑01 – MySQL database server in the Internal network
- WS‑01 – Windows 10 workstation (internal)
- ADMIN‑01 – Linux admin workstation (management)
-
Assign static IPs according to the subnet plan:
- Management: 10.0.10.0/24
- Internal: 10.0.20.0/24
- DMZ: 10.0.30.0/24
-
Enable inter‑VM communication only through the firewall; disable any direct switch‑to‑switch bridging.
2. Configure the Perimeter Firewall
a. Basic Interface Setup
# pfSense CLI commands (simplified)
ifconfig em0 10.0.10.1/24 up # Management
ifconfig em1 10.0.20.1/24 up # Internal
ifconfig em2 10.0.30.1/24 up # DMZ
b. Default‑Deny Policy
- Set WAN → LAN and LAN → WAN to deny by default.
- Create explicit allow rules for required services only (e.g., HTTP/HTTPS from Internet to DMZ, SSH from Management to firewall).
c. Zone‑Based ACLs
| Source Zone | Destination Zone | Allowed Services |
|---|---|---|
| Management | All | SSH, HTTPS, SNMP |
| Internal | DMZ | HTTP, HTTPS |
| DMZ | Internal | MySQL (port 3306) – only for web‑app backend |
| Internet | DMZ | HTTP (80), HTTPS (443) |
3. Harden Host Operating Systems
a. Linux (WEB‑01, DB‑01)
- Apply CIS Benchmark Level 1 using
ansible-playbook harden.yml. - Disable unnecessary services (
telnet,ftp). - Enforce SSH key‑based authentication and change the default port to 2222.
- Enable SELinux in enforcing mode.
b. Windows (WS‑01)
- Install Windows Defender Exploit Guard and enable Controlled Folder Access.
- Set Password Policy: minimum length 14, complexity enabled, lockout after 5 failed attempts.
- Turn on BitLocker for full‑disk encryption.
4. Deploy Intrusion Detection & Prevention
- Install Snort on a dedicated VM (IDS‑01) attached to a SPAN port of the internal switch.
- Configure rule sets:
- ET Open for emerging threats.
- CIS‑IDS for compliance‑focused signatures.
- Enable Inline Mode (IPS) on the firewall using the
pfSense-pkg-snortplugin, directing suspicious packets to be dropped.
5. Centralized Logging & Monitoring
- ELK Stack (Elasticsearch, Logstash, Kibana) runs on LOG‑01.
- Forward syslog from all VMs to LOG‑01 (
/etc/rsyslog.confon Linux, Windows Event Forwarding). - Create dashboards for:
- Firewall rule hits
- IDS alerts by severity
- Authentication failures
6. Validate Security Controls
| Test | Tool | Expected Result |
|---|---|---|
| Port Scan (nmap) from Internet to Internal | nmap -Pn 10.0.20.0/24 |
No open ports reported |
| Brute‑force SSH on WEB‑01 | hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.0.30.10 |
All attempts blocked, logged in ELK |
| SQL Injection payload on web app | curl "http://10.0.30.10/login.php?user=' OR '1'='1" |
Request blocked by WAF rule (if added) or logged as IDS alert |
| Lateral movement attempt from WS‑01 to DB‑01 | `ping 10.0.20. |
If any test reveals a gap, revisit the corresponding rule or hardening step.
Scientific Explanation of Core Measures
Firewall Rule Processing
Firewalls evaluate packets sequentially from the top of the rule list. The first matching rule determines the action (allow or deny). This first‑match behavior is why a default‑deny stance—placing a blanket deny rule at the bottom—provides a safety net. Mathematically, the rule set can be expressed as a finite ordered set R = {r₁, r₂, …, rₙ}, where each rule rᵢ maps a tuple (src, dst, proto, port) to a Boolean action. The complexity of rule evaluation is O(n), but modern firewalls use hash tables and decision trees to approach O(log n) for large rule bases And it works..
IDS/IPS Signature Matching
Signature‑based IDS uses pattern matching algorithms such as Aho‑Corasick to scan packet payloads against a dictionary of known malicious strings. Even so, the algorithm builds a finite automaton that processes each byte in O(m + k) time, where m is the payload length and k is the number of matches found. This efficiency enables real‑time inspection even at gigabit speeds.
Host Hardening and Attack Surface Reduction
The attack surface can be quantified as the sum of all exposed services, open ports, and vulnerable code paths. Consider this: by applying CIS Benchmarks, you systematically reduce this surface area. If the original surface had S₀ services, and hardening removes ΔS, the new risk R can be approximated as R = (S₀ - ΔS) × V, where V is the average vulnerability severity. Take this: disabling telnet removes a cleartext credential vector, decreasing the probability P of successful remote exploitation. Hence, each eliminated service yields a linear reduction in overall risk.
Worth pausing on this one It's one of those things that adds up..
Frequently Asked Questions
Q1: Why use a virtual lab instead of a physical testbed?
A: Virtual environments are scalable, repeatable, and cost‑effective. Snapshots let you revert instantly after a failed configuration, and you can spin up multiple identical labs for a class without purchasing extra hardware.
Q2: Can I replace pfSense with a commercial firewall?
A: Absolutely. The concepts—zone‑based ACLs, default‑deny policy, and logging—are firewall‑agnostic. When migrating, map pfSense rules to the syntax of your vendor’s platform and verify rule order Worth keeping that in mind..
Q3: Is an IDS enough, or do I need an IPS?
A: An IDS detects and alerts; an IPS prevents by dropping malicious packets. For critical segments (e.g., DMZ), an IPS provides an additional layer of protection. Even so, false positives can disrupt legitimate traffic, so tune signatures carefully Less friction, more output..
Q4: How often should I update firewall and IDS signatures?
A: At least weekly for IDS/IPS rule sets, and daily for vulnerability patches on hosts. Automate updates via cron jobs or configuration management tools.
Q5: What’s the best way to monitor the health of the security controls?
A: Use a centralized SIEM (Security Information and Event Management) dashboard. Correlate firewall logs, IDS alerts, and host audit records to spot anomalies such as a sudden surge in denied connections Simple, but easy to overlook..
Conclusion
Lab 19‑1 of the Live Virtual Machine series delivers a comprehensive, hands‑on experience in implementing network security measures that mirror real‑world best practices. By constructing a segmented virtual network, applying a default‑deny firewall, hardening every host, deploying an IDS/IPS, and centralizing logs, students gain a holistic view of defense‑in‑depth. The scientific underpinnings—ordered rule evaluation, efficient signature matching, and quantitative attack‑surface reduction—show that security is both an art and a science.
The skills acquired here are directly transferable to production environments: you can replicate the VLAN layout, firewall policies, and hardening scripts on physical hardware or cloud‑based virtual networks. Beyond that, the lab’s iterative testing methodology—probing the network with scans, brute‑force attempts, and injection payloads—instills a mindset of continuous validation, which is essential for maintaining security posture over time Small thing, real impact. That alone is useful..
Worth pausing on this one.
Implementing these measures today not only shields your organization from current threats but also builds a resilient foundation for future security initiatives such as zero‑trust networking and automated threat hunting. Keep the lab alive, iterate on the configurations, and let the virtual machines become a sandbox where security concepts evolve from theory to mastery Most people skip this — try not to..
