Updated on September 9, 2020 at 12:23 am
I’m always looking to optimize my network and test labs and such so I’ve taken my IoT test lab which used to be centered around a Mac Mini, a Netgear wireless router, a port mirroring switch and various VMs running on the Mac Mini, and properly virtualized it. Or maybe better virtualized it.
There are a several reasons this new setup should be better:
1) I can take advantage of the port mirroring feature of Hyper-V
2) I won’t need to mess with a port mirroring switch
3) I can utilize VLANs
4) I can spin up and spin down VMs on a proper server
So the new setup is fairly straightforward but does require some experience with the Sophos UTM, Windows Hyper-V and VLAN networking. The core components are listed below:
- Windows Hyper-V server
- Sophos UTM (Free for home use)
- Sophos AP 10 Wireless
- Cisco SG200-08 Managed Switch
Basically the whole setup revolves around a class C network and a VLAN (I’m using a VLAN to separate the test network from my core network) and it is put together as follows:
- As mentioned, you will need a VLAN network and mine is setup and controlled by my Sophos UTM. Technically, the Sophos UTM sees a regular class C network with the VLAN ID setting configured in Hyper-V, but the UTM does all the work; routing, DHCP, etc.
- Once the Sophos UTM is configured and connected to the proper VLAN through Hyper-V, other VMs can be spun up on the Hyper-V server and their VLAN settings configured to the proper VLAN ID.
- VMs you spin up can include testing tools such as a WebInspect VM or maybe a Nessus VM, but you will also want a VM, I use Kali, that you can set up as a man in the middle for network traffic, http traffic or other things you would like to intercept.
- You will also want a VM for packet capture using the Hyper-V port mirroring feature where you can throw packets from a source VM to a destination VM which is running tcpdump or whatever you like capturing packets with.
- So with the packet capture VM and the Kali VM set up for interception, this will give you multiple points within your test network to capture packets.
- With this setup, there will be a couple of ways you can direct your network traffic within the VLAN using the DHCP server for the VLAN. The first is to simply allow traffic out via the Sophos UTM as you would normally do in a scenario where the firewall is the gateway. The second way is to configure the DHCP server to tell clients to use the Kali VM as the gateway. You will need IP forwarding and iptables configured so that the VM can function properly as an intercepting VM.
- At this point if you are testing IoT devices you will want to get them connected to the test network in some fashion. I’m using a Sophos wireless AP that can be configured with multiple SSIDs and can be configured to operate on specific VLANs. Once you have a wireless AP configured properly, any devices connected wirelessly will be attached to the test network VLAN you have set up.
- So we currently have our VLAN configured, VMs spun up and a way to connect our wireless IoT devices to the network.
- We now need a way to connect wired IoT devices to the network and we will do that using a managed Cisco switch. Configuration is straightforward and we will simply need to configure one of the ports to have its default VLAN set to the same VLAN as our test network. Once configured, any wired devices connected through that port will be tagged with the proper VLAN and thus be connected to our test network.
Obviously you will be able to do more with this lab than just test IoT devices, but ultimately what you will have is an isolated test network to do whatever you like without having to worry about nuking your core network.