Learn network security, open networking & Linux engineering in one tutorial
Building up a company-grade segmented network entirely on Unix-like OS
Learn underlying cluster technologies e.g. Keepalived & VRRP on Linux
Project-based learning of configuring firewall clusters on OpenSUSE Linux as well as pfSense
Learn about NAC (802.1X, EAP, EAPoL) using PacketFence to reject or accpet clients on switches
Networking core fundamentals such as Traffic Tagging using VLANs, Trunking, STP, subnetting, LAG, MLAG, etc.
Learn firewall’s core functionalities & be able to work with any firewall, no matter what brand
Initial to advanced configuration of Nvidia Cumulus Linux switches
Learn how head & branch offices securely communicate using IPSec site to site VPN
Practicing network security by segmentation, compartmentalization, & isolation
Learn how to create different VLANs in a company and control their traffic on each other
Setting up Linux based DHCP server to serve IP addresses in different VLANs
Learn network redundency methods e.g. LACP (802.3ad), balance-rr, balance-xor, etc. on Linux, pfSense and Cumulus switch
Learn how to migrate from iptables to nftables
Project-based learning of advanced pfSense firewall features
Project-based learning of packet capture & analysis using Wireshark, TShark, TermShark & TCPDump
Learn about openSUSE, AlpineLinux, Debian, Ubuntu and FreeBSD
Implement IPSec VPN on openSUSE using strongSwan
Configuring openVPN remote access for home office users
Configuring Wireguard remote access for IoT devices (key based authentication)
Learn how to harden SSH logins using two-factor authentication (2FA)
Learn virtualization using VirtualBox and GNS3
Learn most common network attacks and penetration testing technics
Yersinia attack toolkit
When it comes to open-source, the sky is the limit!
In a nutshell, you will build a company-like network with headquarter and branch office on Unix-like OSs and open-source tools, then try to hack its vulnerabilities.
From switches to endpoints, clustered firewalls, servers incl. Network Access Control, shortly NAC server, jumpers, and anything else are all built on a flavor of Linux OS such as openSUSE, AlpineLinux, Debian, Ubuntu, etc., or a Unix-like OS such as FreeBSD.
Network security should be embedded into the nature of the corporate’s network and that is what we learn in this course.
We do not care much about vendors and logos, but practical concepts. For example, we dive into Shell commands, TCP/IP and networking fundamental concepts, and core network security principles using open-source, yet industry-proven products.
We aim to teach you how standard networking concepts are “designed” and are also “applied” in work environments.
Why a pure Linux-based network? Besides the fact that Linux runs the world, if you learn the secure networking using Linux, Unix, and open-source tools, you will feel pretty confident about their commercial equivalents. For example, if you learn network firewalling using iptables and nftables, you won’t have any issues with Cisco FirePower, FortiGate, or Juniper firewalls.
As said, we are not into vendors, we are interested in standardized theoretical concepts and practical technics. This method will give you a firm conceptual understanding of underlying technologies and ideas about how finished products like Cisco switches, Fortigate Firewalls, Cisco ISE NAC, HPE Aruba, and so on, actually work behind the scene.
In the end, you will run the most common network attacks using Kali Linux against the network you built yourself.
Your Learning Key-Terms:
Virtualization
GNS3 Lab (with Hyper-V & VirtualBox Integration)
TCP/IP
OSI Model
Network Topologies
IP Subnetting
VLAN
Traffic Tagging
Trunking
NIC Teaming
LAGG (Link Aggregation)
MLAG (Multi-Chassis Link Aggregation)
Bond Modes: Active-Backup, 802.3ad (LACP)
Bridging
Spanning Tree
Inter-VLAN Routing
Routing & ARP Tables
MAC Flood
IEEE 802.1X & MAB (MAC Address Bypass)
Network Access Control (NAC)
PacketFence (Open Source NAC)
Extensible Authentication Protocol (EAP) (EAPoL)
RADIUS (FreeRADIUS)
Linux Open Source Networking
Nvidia Cumulus Linux Switch
‘;
}});
openSUSE Linux
Ubuntu Linux
Alpine Linux
Linux Shell Command Line
Firewalls
Netfilter Framework
Packet Filtering
iptables
nftables
Packet Capture Analysis
Wireshark, TShark, Termshark, and TCPDump
Linux Clustering
keepalived
ConnTrack
Virtual Private Network (VPN)
OpenVPN
strongSwan IPSec (swanctl)
WireGuard
pfSense Firewall (FreeBSD)
pfSense Cluster
Next-Gen Firewall
Demilitarized Zone (DMZ)
Ethical Hacking Network Attacks and Technics
SSH BruteForce Attack
MITM with Mac Spoofing Attack
MITM with DHCP Spoofing Attack
DOS Attack (POD, SYNFLOOD, BPDUs, CDP)
Yersinia
DHCP Starvation
DNS Spoofing
Offensive Packet Sniffing
ARP spoofing, ARP cache poisoning attack
Network hacking
Cyber security
Network Hardening Solutions
Fundamentals 1: Building up a GNS3 Virtual Lab
Skip this section if…
GNS3 VM & Server, templates for Linux nodes, pfSense, Cumulus & VBox Integration
Fundamentals 2: Networking Basics
Network Topologies – Bus, Ring, Mesh and Hybrid
Network Types – LAN, WLAN, WAN, SAN, MPLS and SDWAN
OSI Network Model vs. TCP/IP Model
Network Protocols and Services
IP Addressing
IP Subnetting
Routing – ANDing, Default, Static, Dynamic Routes
Switching – VLANs, STP, LAG and MLAG
Network Architecture – 3 Tiers vs. Spine Leaf Design
Fundamentals 3: Unix-like OS Basics
50 years of Unix-like heritage: Research Unix, BSD, GNU, Linux and macOS
Part 1: 50 “must-know” shell commands working on any Unix-like OS since 70s
Part 2: 50 “must-know” shell commands working on any Unix-like OS since 70s
Part 3: 50 “must-know” shell commands working on any Unix-like OS since 70s
Part 4: 50 “must-know” shell commands working on any Unix-like OS since 70s
vi basics – a ubiquitous screen-oriented text editor on any Unix-like OS
net-tools and/or iproute2 – Networking tools on any Unix-like OS
Fundamentals 4: Packet Capture Analysis using TCPDump, Wireshark and TShark
Quick-tour of packet capture analysis
Clarifying Wireshark vs. TShark vs. TermShark vs. TCPDump
Why learning packet analysis? A use-case exposing RCE attack payload
Installing Wireshark, Termshark, TShark and TCPDump on Kali Linux
Installing Wireshark and TShark on MS Windows
TCPDump use-cases: credentials, Cookies, headers, URL, remote packet capture
Wireshark interafce walkthrough and possibilities
Wireshark filters, syntax glossary, PCAP investigation, chaining, HTML rebuild
TCP/IP Model revisited in Wireshark
Packet analses with PCAP visualization
Capturing packets on GNS3 links using Wireshark
Company Network Project Kickoff
Project requirements gathering and specifications document
Project’s basic shapes and colour codes in GNS3
Adding Open Source Switches (Cumulus Linux)
Nvidia Cumulus Linux – An Open-Source Linux-based Switch
Headquarter – Creating physical connectivity with spine-leaf design
Headquarter – Adding Alpine Linux clients
Headquarter – Layer 2 Configuration – Interfaces and VLANs – Part1
Headquarter – Layer 2 Configuration – Interfaces and VLANs – Part2
Headquarter – Spanning Tree Protocol (STP) on Cumulus Linux switches
Headquarter – Creating virtual layer 3 interfaces for management VLAN
Headquarter – Configuring Bond interfaces, LAG and MLAG in Cumulus Linux – P1
Headquarter – Configuring Bond interfaces, LAG and MLAG in Cumulus Linux – P2
Branch Office – Network Prepration in GNS3
Branch Office – Switches Trunk & Access ports, VLAN interfaces, Bonds & MLAG
Adding 2 Firewall Clusters: Linux nftables (Keepalived VRRP) & pfSense HA (CARP)
Read me first
Headquarter – Create a custom VM for the openSUSE Linux Server cluster
Headquarter – Change network adapters type to Paravirtualized Network I/O
Headquarter – Creating bond interfaces on openSUSE Linux with LACP mode
Headquarter – Troubleshooting inter-cluster Bond connectivity issues on Linux FW
Headquarter – Configure MLAG on Cumulus switches for firewall cluster bond links
Headquarter – Configure virtual VLAN interfaces on linux firewall cluster
Headquarter – Disable IPv6 on the Linux firewalls
Headquarter – Installing keepalived (VRRP) on both OpenSUSE Linux firewalls
Headquarter – Configuring keepalived (VRRP) for OpenSUSE firewall HA cluster
Introduction to netfilter framework – Part 1
Introduction to netfilter framework – Part 2
Headquarter – Change default policies of iptables chains to explicit drop
Create IPTables service on openSUSE firewall cluster & TShooting the service
Headquarter – Create iptables service on the slave firewall
Headquarter – Providing internet to VLAN 20 using MASQUERADE NAT rules
Headquarter – Configure Linux DHCP Server to assign each VLAN’s own IP range
Headquarter – Start creating Inter-VLAN iptables rules on OpenSUSE FW cluster
Headquarter – Continue creating Inter-VLAN iptables policies on firewall cluster
Headquarter – Creating iptables DNAT rules to publish web server from DMZ VLAN
Headquarter – Restrict & log SSH Brute-force attacks with iptables RECENT module
Headquarter – Visualize iptables rules with gressgraph
Headquarter – nftables basics
Headquarter – Transform iptables rules into nftables & create an nft service, P1
Headquarter – Transform iptables rules into nftables & create an nft service, P2
Headquarter – Restrict SSH Brute-force attacks for 5 minutes with Linux nftables
Branch Office – Installing pfSense machines in GNS3
Branch Office – Reassigning the interfaces and start the initial pfSense config
Branch Office – Configure pfSense interfaces, LAGG, VLAN interfaces and pfSync
Branch Office – Setup pfSense High-Availibity & MLAG between Cumulus and pfSense
Branch Office – Configure pfSense DHCP server for clients and management VLANs
Branch Office – Create aliases in pfSense and add floating & VLAN firewall rules
Branch Office – Create Inter-VLAN rules from Clients and Mgmt to DMZ on pfSense
Branch Office – Setup UFW on Ubuntu Web server in DMZ & test inter-VLAN access
Branch Office – DNAT or Reverse NAT for web server access in DMZ from internet
Adding Open Source VPN technologies using Strongswan IPSec, OpenVPN & Wireguard
Setup Site to Site VPN between OpenSUSE Linux and pfSense using Strongswan – P1
Setup Site to Site VPN between OpenSUSE Linux and pfSense using Strongswan – P2
Troubleshooting Site to Site IPSec VPN between OpenSUSE Linux and pfSense
Preparing OpenVPN server on pfSense – CA server, certificate & export plugin
Setup OpenVPN remote access on pfSense & setup home-office Ubuntu OpenVPN client
Setup WireGuard VPN between OpenSUSE firewall and Ubuntu as remote IoT client
Adding Open Source Network Access Control (NAC) using PacketFence
How NAC works? EAP, EAPoL, RADIUS, dot1x – P1
How NAC works? EAP, EAPoL, RADIUS, dot1x – P2
Installing PacketFence NAC Server on a Debian Linux
Initializing PacketFence Web Configurator
Deplying Network Access Server (NAS) and FreeRADIUS with MAB Profiles
Configure IEEE 802.1X, Parking & Dynamic VLAN assignment on Cumulus Linux Switch
Adding Two-factor authentication (2FA) to SSH servers in management VLAN
Setting up 2FA for SSH server on Ubuntu jump hosts in management VLAN
How secure did we build this network? Let’s pentest it!
Introduction to penetration testing for this project
Reconnaissance of headquarter network using NMAP
Implementing SSH brute force against headquarter using our NMAP findings
ARP Poisoning attack to capture headquarter network traffic e.g. credentials
DHCP starvation attack agains OpenSUSE DHCP server in headquarter (DOS attack)
DHCP spoofing by Yersinia in headquarter to deviate the network gateway and DNS
