Cyber Security Lab: Free, Easy, At Home

Everyone has to start with the first steps in understanding the complex world of cybersecurity. In today’s digital landscape, where threats are ever-evolving, it’s essential to grasp how foundational defense mechanisms work to protect vulnerable applications. By diving into hands-on labs and real-world scenarios, we can learn how to deploy, configure, and optimize tools like Web Application Firewalls (WAFs), Intrusion Prevention Systems (IPSs), and Security Information and Event Management (SIEM) systems. These practical experiences lay the groundwork for mastering cybersecurity and emphasize the importance of integrating strong security practices from the development phase through deployment.

Architecture

Defense is one of the most important approaches in Cyber Security. To offer a comprehensive defense mechanism, three key points should be considered:

1. Monitoring — the collection and analysis of different metrics.
2. Detection — the identification of potential threats or malicious activity.
3. Response — the measures taken to prevent potential damage caused by a threat.

These elements are applicable to almost any information system. Let’s consider this scenario: we have one or several web applications that need to be defended. To address this challenge, we can use a web application firewall to monitor, detect, and prevent malicious actions. However, sometimes we need to enhance effectiveness by setting up more specific components such as Intrusion Prevention Systems (IPS) and Security Information and Event Management (SIEM) systems, in conjunction with the firewall.

An example of such a model might include the following components:

• PfSense — Firewall
• Suricata — IPS
• Squid Proxy — To hide the Trusted Zone under the firewall.
• Splunk — SIEM
• bWAP — Example of a web application

The environment can be set up using virtualization technologies, Oracle Virtual Box in our case.

Web Application Firewall

First, the required machines should be set up. image for PfSense can be downloaded from the official website: https://www.pfsense.org/download/. Then, it should be installed as BSD system on Virtual Box:

We will need two network adapters:

• Bridged Adapter — responsible for the Public Internet Connectivity. In PfSense will be assigned as WAN.
• Internal Network — responsible for the connectivity of trusted zone. In PfSense will be assigned as LAN.

After Setup, it should like this:

We obtained the IP address 192.168.0.200 for the WAN interface and 192.168.1.1 for the LAN interface. The LAN interface will act as the gateway for the rest of the components. PfSense provides routing functionalities as well as a DHCP server out of the box.

For our future needs, we need to enable additional services:

Squid Proxy — to provide proxy services.

Suricata — to serve as an IDS (Intrusion Detection System).

Both packages can be installed using the integrated Add-ons Store. Additionally, we need to ensure that the Systemd daemon is enabled to send all logs from the interfaces to the SIEM.

Suricata

When configuring Suricata, we can enable some basic rules, such as those designed to protect against SQL injections:

…and, of course, enable it in prevention mode:

Splunk

The next step is to set up the SIEM. First, a virtual machine (VM) with an operating system needs to be created. To simplify this process, you can use a ready-made VM image from OSBoxes. To conserve computing resources, the Lubuntu 22.04 image was selected. The network adapter should be set to Internal Network.

SIEM Splunk Enterprise was installed using the standard DEB package from the official download page: https://www.splunk.com/en_us/download/splunk-enterprise.html. The free limitations are sufficient for the current requirements.

In PfSense, the destination port and address for the Syslog logs should be specified. The new SIEM machine is assigned the IP address 192.168.1.2.

It is very important add a new data input of type UDP in Splunk as well:

However, the default logs will be quite raw, so it would be a good idea to write a parser for them. A very simple parser might look like this:

import sys
import re
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators

@Configuration()
class ParseLogsCommand(StreamingCommand):
    def stream(self, records):
        for record in records:
            raw_log = record.get('_raw', '')

            match = re.search(r'\{TCP\}\s+(\d+\.\d+\.\d+\.\d+):\d+\s+->\s+(\d+\.\d+\.\d+\.\d+):\d+', raw_log)
            attack_match = re.search(r'\]\s+(.*?)\s+\[Classification', raw_log)

            if match:
                record['attacker_ip'] = match.group(1)
                record['target_ip'] = match.group(2)
            if attack_match:
                record['attack_name'] = attack_match.group(1)

            yield record

dispatch(ParseLogsCommand, sys.argv, sys.stdin, sys.stdout, __name__)

We need to place this Python code in the $SPLUNK_HOME/etc/apps/suricata_parser directory. More information about creating Splunk Apps can be found here: https://dev.splunk.com/enterprise/docs/developapps/createapps/.

After properly creating the app, we can enable it in Splunk:

Web Application

The final step is to configure the target web application, which is bWAPP. A ready-made VM image can be found on VulnHub: https://www.vulnhub.com/entry/bwapp-bee-box-v16,53/. It should be deployed using only the Internal Adapter and will be assigned the IP address 192.168.1.3.

Squid Proxy

Now, it’s time to test all requests to and from the Trusted Zone clients, ensuring they are properly proxied within the firewall.

It is possible to enforce the use of custom certificates for proxying. Without the certificate, clients will not be able to access the public internet. The certificate can be generated through the PfSense interface.

Testing

In order to test the system, we can send a request with SQL injection to the web application from external host from the Public Internet zone.

In PfSense it is possible to monitor how requests are blocked:

In the SIEM corresponding events are available as well:

However, it is possible to apply our created app as filter and print the results in more compact form:

Conclusion

The given example demonstrated how properly configured defense mechanisms can prevent dangerous attacks, even with a completely vulnerable application. However, this does not mean that WAFs, IPSs, and SIEMs can replace the need for proper security testing and hardening of the application during the development and deployment process.

This type of lab helps users understand how applications are deployed, as well as the underlying network topologies and protocols. Therefore, it is crucial to allocate time for such labs.

Disclaimer: the article in inspired by a challenge in IT-Planeta challenge.