Setting up a virtual lab for cybersecurity data science
“Giant Rabbit uses Carrot Smash. You take 9999 damage. Game over.”
“Aww! All right, this time I’ll get it for sure.”
“Do you want to reload your last save?”
Virtual machines have many advantages over their purely physical counterparts, most of which have nothing to do with avoiding attacks from rabbits with big pointy teeth. What they do have though is versatility, multiplication and my personal favorite — snapshots.
When it comes to setting up a test lab, you may have a number of different ideas that you want to test out that a number of years ago would have required a room full of PCs to be able to manage. Now, however, you can run exactly the amount you need at any given time and keep them suspended until the need arises.
Today we’re going to go over just what it takes to set up a virtual lab for cybersecurity data science.
How do we run virtual machines?
There are dozens of different ways to create and run virtual machines, but usually they boil down to two particular methodologies: running virtual machines from your workstation or running them from a dedicated server. If you’re just starting out and primarily use your workstation exclusively, then programs such as VirtualBox, VMWare Player and Hyper-V can be some of the best bang for your buck if you’re running on top of Windows, Linux and Mac operating systems.
On the flip side, if you have enough dedicated hardware lying around to be able to create a VM server, then VMWare’s ESXi product, which has a free version available with most of the standard features but notably does not include clustering. Then there is Hyper-V Server, which also has a free variant that can run in a similar model as ESXi as of 2019. Then again, you could also lease out processing power from a cloud provider such as Azure, which is more than capable of running virtual machines remotely.
All of these possible options have their strengths and weaknesses, but they all share the same concept — being able to run multiple flavors of operating systems without having to wipe your host OS every time. Want to test out a new variant of Linux without creating boot media? Use a VM. Want to run an older version of Windows that doesn’t have new hardware support? Use a VM. Want to set up a target machine to run attacks against? Use a VM. Want to have a sealed-off test network that can’t actually talk to your production systems unless you actually choose to allow it? Definitely use VMs.
In fact, you can use a lot of VMs, where the limits to how many can be stored for a rainy day are only that of your available drive space. As for how many can be run at once, this is where having a large workstation or server can come in extremely handy. You can much more easily dial in exactly what resources you require for the individual VMs, as you can get away with a surprisingly low point of entry on modern hardware and operating systems. Just be sure to start on the low side and add additional resources as needed, as once VMs receive certain resources, they don’t really give them up easily.
Starting out our initial build
For the sake of an example, let’s say that we wanted to create a 3 VM setup — one copy of Kali Linux for our toolset, one copy of Windows 7 and another of Windows 10 to be able to see if a vulnerability we are examining on Windows 7 still works against Windows 10.
Because Kali Linux is able to be run in several different ways, we have our choice of a live Linux distro — where it runs in effectively a “read-only” state without talking to the virtual hard disk (VHD) directly from the .iso image, one where we install it to create a standard VM, or one where we use one of the developer provided OVA virtual machine image files. Many times, an OVA can be one of the most “as intended” experiences that you can have in a virtual machine, as all of the virtual hardware comes with specific settings already input as defaults.
Regardless of the way you choose to install your three operating systems, eventually you’ll be at a point where you’re at the desktop and ready to begin. But what if we decide at a later time that we want to be able to come back to this exact point again? For that matter, what if we decide that we actually want to have 15 Windows 7 VMs and a dozen Windows 10s? We can do that.
If we decide that we are only going to want to roll back one virtual machine over and over again, we can set up a snapshot of that particular VM that we can rewind to whenever we wish for any reason. This is not necessarily the best long-term solution because this can cause the size of the VM to balloon considerably, so this would only want to be done in a short term. For the long term, we’ll want to create a template.
Why should we create templates?
A template is essentially a VM that is “locked” — something that we can then clone from over and over as many times as we want. We’ll need to adjust machine name and IP settings of course, but those are trivial compared to setting up programs and particular tweaks just the way we want them. In VMWare all we would have to do to convert a VM into a template is power it off, right-click and select Template → Convert to Template. This is also where we would create our own OVA templates for distribution if we so chose.
Once we have our template created, we can again right-click on the template and select “New VM from this Template.” On the flip side, if we already have a template and want to update it for one reason or another, we can easily convert it back and power it up within a matter of seconds.
Virtualization is an incredibly useful resource for training, testing and production. Being able to just create a new system on the fly without the hours spent just getting it ready to go with driver installations and endless updates is never to be discounted. On top of this, being able to get familiar with different environments without having to completely destroy your daily driver PC is unquestionably one of the most useful tools that I’ve ever had access to personally.
Whatever your situation, it can be improved by creating your own test lab where you can completely annihilate a server if you need to … and have it back in order in under a minute.