It is well known that vmareworkstion is a powerful desktop-based virtualization software that compares Windows virtual machines, Linux virtual machines, and even network operating systems, such as Cisco ASA, Juniper SRX, and so on. And you can use VMware's own virtual network card host to establish different network segments to build a test platform. The following is a security testing platform that is built on VMware with Linux systems, Juniper SRX to simulate the Internet, and the company's internal network. Of course this test platform Linux + dvwadamn vulnerable Web application), DVWA is a web vulnerability combat platform, which has XSS, SQL injection, etc., on how to test this platform is not discussed here, you can refer to its official website HTTP/ www.dvwa.co.uk/. The structure of the experiment is as follows:
650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M02/A6/2F/wKioL1nKY0DA8ewqAAD-omW2EAs376.png "title=" 01. PNG "width=" 650 "height=" 560 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:650px;height:560px; "alt=" Wkiol1nky0da8ewqaad-omw2eas376.png "/>
This architecture is relatively simple, with Juniper SRX firewall in the middle (note: All experiments are built and tested using virtual machines). I used the Cisco ASA Firewall for more than 10 years, before I always felt that the Cisco ASA Anti-Wall was very hanging, since much from 7. X version upgrade to 8.4 version, I started on the Cisco firewall can only say fuck. Little J gave me the feeling is logical relatively strong, a bit like a modular configuration, very easy to get started, of course, I am small j or small white one, still struggling to climb the wall.
Experimental requirements:
This architecture is divided into trust (inside) zone IP address 172.16.100.0/24 and untrust (outside) zone IP address 10.133.83.0/24
Trust (inside) region users are internal users can only NAT way to prevent the internet, except 80, 443 of its prohibited;
Untrust (outside) regional users also on the Internet users only through the NAT way to prevent the internal server 80, 443 mouth, the other is prohibited;
This experiment is simply a way of explaining how to use VMware to build all kinds of platforms, and the firewall configuration is simple.
The implementation is relatively simple, that is, VMware on a new network of two host hosts, such as:
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M00/A6/30/wKioL1nKZ5OyonygAABSHhFkdDI927.png "title=" 01. PNG "width=" 650 "height=" "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:650px;height:54px; "alt=" Wkiol1nkz5oyonygaabshhfkddi927.png "/>
Three Linux virtual hosts were created, of which two belonged to the internet and one belonged to the company's internal network. The Internet host network card is connected to the VMNET4 network card (172.16.100.0/24), the company internal host network card is connected to the VMNET8 network card; The Gateway of all hosts points to the default IP of the automatic virtual network card on the physical machine, such as VMNET4 's default gateway is 172.16.100.1
Built a juniper SRX fire host, one network card connection VMnet4, the other one is connected VMnet8.
Internal server opened WWW service, in addition to build two sites, such as cacti, DVWA, and this platform is only using testing, it is not for Apache to do an optimization processing.
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M01/07/7E/wKiom1nKaxDQpw5HAAAL0pZT9Gw635.png "title=" 01. PNG "alt=" Wkiom1nkaxdqpw5haaal0pzt9gw635.png "/>
Simple configuration firewall NAT settings
650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/07/7E/wKiom1nKbRuwhJxbAACXVc_wf_Q775.png "title=" 01. PNG "width=" "height=" 682 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:600px;height:682px; "alt=" Wkiom1nkbruwhjxbaacxvc_wf_q775.png "/>
Firewall policy settings
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M01/A6/30/wKioL1nKbVuAlPTTAABAjMnkIDA740.png "title=" 01. PNG "alt=" Wkiol1nkbvualpttaabajmnkida740.png "/>
650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M00/07/7E/wKiom1nKbdmgUiE2AABH2JsTMeE394.png "title=" 01. PNG "width=" 531 "height=" 328 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:531px;height:328px; "alt=" Wkiom1nkbdmguie2aabh2jstmee394.png "/>
Firewall routing Settings
650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M02/07/7E/wKiom1nKbjqT3KqcAAAZ-XDLFec411.png "title=" 01. PNG "alt=" Wkiom1nkbjqt3kqcaaaz-xdlfec411.png "/>
The above environment is completed, as for testing can have a variety of command test can be reached, such as Nmap detection 80 port is open, Crul test site prevention is normal. This ping I only used for DVWA testing, so you can use the Kali Linux system tools to simulate Internet users to test a company's website for security vulnerabilities, such as using SQLMAP to test the platform's SQL injection, HPING3 to simulate network bandwidth testing. Such as:
650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M02/A6/30/wKioL1nKb8exg5v8AABOuzefIGg616.png "title=" 01. PNG "alt=" Wkiol1nkb8exg5v8aabouzefigg616.png "/>
Of course, why use Juniper Firewall in the middle. With the purpose of the firewall, I can see the traffic on the fire wall, can also do logs written into the log server to observe, of course, mainly familiar with the small J configuration.
In the end, the VMware platform is powerful and can be tested in the way you want to build different architectures, as I built two server test platforms a long time ago. The first architecture takes advantage of only 1 host host networks, and the second architecture leverages 5 host host networks.
650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M01/A6/30/wKioL1nKccqyLKeSAAQxxGLcJP8704.png "title=" 01. PNG "width=" 650 "height=" 516 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:650px;height:516px; "alt=" Wkiol1nkccqylkesaaqxxglcjp8704.png "/>
650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M00/A6/30/wKioL1nKcfDhAVHBAARM8mCB0Qc408.png "title=" 02. PNG "width=" 650 "height=" 461 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:650px;height:461px; "alt=" Wkiol1nkcfdhavhbaarm8mcb0qc408.png "/>
This article is from the "unintentional injury" blog, so be sure to keep this source http://arckyli.blog.51cto.com/13756/1969000
VMware + JunOS + Linux build security test Platform