Home Lab Network Security! - vlans, firewall, micro-segmentation

Подписаться 52 тыс.

Просмотров 42 тыс.

50% 1

One of the most important aspects of building out your home lab environmment is giving attention to your home network design. Network segmentation is a core component of securing your home lab network, segmenting traffic, and protecting your network resources. In the video we talk about how to properly design your network with VLANs, using a firewall to filter traffic from specific resources
Subscribe to the channel: / @virtualizationhowto
My blog:
www.virtualizationhowto.com
_____________________________________________________
Social Media:
/ vspinmaster
LinkedIn:
/ brandon-lee-vht
Github:
github.com/brandonleegit
Introduction - 0:00
Talking about VLAN basics - 1:37
How many home lab networks are designed - 3:35
How an attacker can pivot in a un-segmented network - 4:43
Beginning the creation of VLANs - 5:36
Showing the existing VLANs on a switch - 6:01
Running the commands to create a new VLAN - 6:25
Configuring a switchport as an access port for the newly created VLAN - 7:15
Testing out connectvity between two PCs and seeing how VLANs work - 7:59
Testing connectivity with ping commands - 8:37
After adding the additonal port to the new VLAN - 9:25
Overview of a network design using multiple VLANs 9:54
Using firewall rules to filter traffic between VLANs - 11:44
Looking at firewall rules and associating those to different interfaces - 12:42
Adding a firewall rule for a particular interface and blocking traffic between VLANs - 12:59
Looking at micro-segmentation within a VLAN - 14:01
Limitations of firewall filtering - 14:27
Creating a layer 2 segment (logical switch) - 15:05
Looking at creating a distributed firewall rule - 15:31
Adding Active Directory to NSX Manager - 15:44
Thinking about the possibilities - 16:28
Covering the basics and wrapping up - 16:56
pfSense proxmox installation and configuration:
www.virtualizationhowto.com/2...
pfSense VLAN to VLAN routing:
www.virtualizationhowto.com/2...
Segment your network with pfSense:
www.virtualizationhowto.com/2...
Enable VMware NSX-T distributed IDS configuration:
www.virtualizationhowto.com/2...
Identity based firewall with VMware NSX-T:
www.virtualizationhowto.com/2...

Хобби

Опубликовано:

1 июн 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 48

@GottaLovePartyin 11 месяцев назад

as someone with minimal cybersecurity background (but quickly developing a personal & professional interest in it), this video was incredibly helpful!! thank you!!

@bxchris Год назад

Always a great feeling when someone helps you close a gap in knowledge. Thank you

@VirtualizationHowto Год назад

Christopher, wow that is kind of you to say. Glad it helped! Thanks for watching.

@bsl2501 3 месяца назад

Thank you for the video and especially also taking it to further depths. One thing I really like with (corporate grade) Wi-Fi networks is Client Isolation.

@nulatium7868 Год назад

This is material I wish I could find covered at this level. I never finished chasing down VLANs and this encourages me to finish setting some up. Would look forward to anything covering Reverse Proxy solutions like NPM or Traefik while running containers on hosts and virtualized systems in Proxmox or another hypervisor. Thank you for your efforts.

@VirtualizationHowto Год назад

Nulatium, glad you liked this! I like doing these deeper dives into networking as it is a core concept that is often missed

@RK-xm6dd 6 месяцев назад

really good content, thank you for sharing!

@xythonDe 7 месяцев назад

The created rule only blocks IPv4 TCP traffic. It's important to change this default. Otherwise the network is fully reachable over UDP or IPv6. 13:35

@alieninstallation50 4 месяца назад

Thanks for the video!

@circuithijacker Год назад

Excellent material!

@VirtualizationHowto Год назад

Glad you enjoyed it!

@MrMattcze Год назад

Thanks! That's really informative.

@VirtualizationHowto Год назад

Mateusz, thanks for the comment and glad it was helpful!

@stevenehairston8323 Год назад

Great explanation!

@VirtualizationHowto Год назад

Steven, glad it was helpful!

@tcasex 6 месяцев назад

14:03 this level of detail within proxmox running docker containers would be great...I have my "group" of servers segmented via vlans, but I wanted to micro-segment the containers running within. Docker networking is something made of magic...would be cool if you could share any knowledge on this.

@babeksaber2702 6 месяцев назад

Thank you

@FarhanAhmedClicks Год назад

Hello Sir, I just installed pfsense in my pc and everything is working just fine except Captive Portal. I watched many tutorials and setting up things just like them or guided in tutorial but my case is when I enable captive portal it asks for username and passwords and voucher but when I try to input voucher codes it says invalid voucher. I tried to change rsa keys and reconfigured and reinstalled the whole setup but still I am on a same stage. Can you please guide me.

@JasonsLabVideos Год назад

Awesome Video sir !

@VirtualizationHowto Год назад

Thanks Jason

@JasonsLabVideos Год назад

@@VirtualizationHowto YES ! :P

@brandonculler8550 Год назад

Hey Brandon, I'm digging the channel. I appreciate the details & importance you place on using the correct terminology & restating acronyms & explaining them. I have a request or idea of something that I believe would make for good content. Can you PLEASE do a video on distributed switches from Vcenter. I can't for the life of me understand why I have to move the vmkernel to the distributed switch group. Im starting to think maybe I don't understand what a vmkernel really is used for. But what of I want that interface to be a dedicated interface for ESXi (i.e. no host).. and I want my host on a seperate interfaces (which btw I thought in video of how to protect your ESXi host from ransomware was one of your BP recommendations). And can you please explain why in the WORLD my only option to install Vcenter is on the ESXI host that it's managing?????? Really VMWare???? It makes doing the upgrade from Vcenter on that ESXi host, virtually impossible. There has to be a best practice there I'm missing. Keep up the good work & I look forward to your responses!!!!

@VirtualizationHowto Год назад

Brandon, thanks for the comment and questions! Lots of topics in the questions you posed. Distributed switches place the management of your virtual networking at the vCenter level which makes things a lot easier if you are managing multiple ESXi hosts with the same port groups, etc. So in other words, you don't have to manually create standard port groups on each ESXi host, you can instead simply add the host to the distributed switch and it automatically inherits all the port group settings, etc. However, this is a mixed bag of features vs. disaster recovery. Distributed switches can become a nightmare if you lose vCenter as it houses the configuration for the switches. The switches won't be automatically wiped out, however, you will have a situation with orphaned and ghosted distribusted switches. I still use Distributed switches heavily, however, I usually keep a single standard switch configured with an uplink just for disaster scenarios. Also, it isn't an absolute requirement that vCenter is housed on the same ESXi hosts that it manages. You can house vCenter anywhere as long as it has network connectivity to the hosts it manages. It is common to see vCenter housed on the same ESXi hosts it managed though. The way this works is you have a cluster of ESXi hosts. You vMotion the vcenter SErver to a different host if you are upgrading a host in the cluster. You keep working your way through the hosts until they are all updated. There are also automated processes to take care of this whole process if you want it to be fully automatic. Upgrading vCenter Server itself, is also not bad either as you deploy the new vCenter Appliance and use direct ESXi host connections during the upgrade process instead of connecting to vCenter itself. I hope this helps with most of your questions. let me know! Thanks again.

@marksep5294 7 месяцев назад

7:11 What is the command used here to pick port interface f0/1? The video jumped, didn't show the command.

@etienneb4403 4 месяца назад

Informative video. Thanks you. Regarding vlans, wasn’t the purpose using only 1 cable? If you close ports for exclusive use to say vlan100, i would need multiple cables i guess? And did the cisco switch provide DHCP or the internet router?

@VirtualizationHowto 4 месяца назад

@etienneb4403 thank you for the comment! Yes VLANs have many benefits, including using only a single uplink, but also network segmentation for different traffic types. Let me know if you have more detailed questions, please hop over to the VHT forums here and we can discuss further: www.virtualizationhowto.com/community

@ziqif3407 5 месяцев назад

What software are you using to show us the Cisco command and router interfaces at 9:07?

@VirtualizationHowto 5 месяцев назад

@ziqif3407, shoot me a message over on the forums here and let's talk shop: www.virtualizationhowto.com/community. Thank you again.

@Stigmata195 4 месяца назад

Hey Man, nice video but... Your intro tune made me allmost deaf as your voice's volume's is much lower...

@CodingWithJerry-fn4cv 6 месяцев назад

I have 3 devices that discover each other on the same network using NDI. I have issue where I am in a large office where devices can't find each other. IT will not fix this. Any work arounds

@VirtualizationHowto 5 месяцев назад

@codingwithjerry-fn4cv Thank you for the comment! Sign up on the forums and I can give more personalized help here: www.virtualizationhowto.com/community

@MikeSchinkel Год назад

This was eye-opening. I have been in tech for 30+ years as a developer and still didn't understand VLANs. With your tutorial, I think I understand them now. So I figured I would segment my lan but I think my switches don't support VLAN, and when I started looking for a switch that does it seems only high-end (read: very expensive) switches support VLAN. For a home lab, what are some switches we can consider getting? Do we need to go with CISCO and learn how to program them? Or are there other acceptable options. Thanks in advance for taking the time to answer. Even better if you can do a video about switches (or point me to one you've already done?)

@VirtualizationHowto Год назад

Mike, this might be a good topic for a video for sure. There are cheaper switch models out there that support VLANs, but I am not sure what your budget is. Cisco is certainly the favorite for those that like the Cisco CLI as it is the industry standard. However, you don't have to go with Cisco, their CLI is just the most popular. ONe thing you run into with cheap switches is they are often what they refer to as unmanaged and not capable of more advanced features. Look for a managed switch with CLI access. The Cisco small business switches are actually not terribly expensive, depending on what port count you need. Unfortunately, the supply chain issues have driven the prices of even those switches much higher.

@MikeSchinkel Год назад

@@VirtualizationHowto - I am fortunate at this time to have a budget of whatever I can convince myself I should buy if it can help me get better in my career, within reason of course! One idea I had was to get a managed switch with a smaller number of ports and daisy-chain the unmanaged switches I have for different VLANs, maybe?

@scotta.3866 Год назад

@@MikeSchinkel I might recommend looking at used, corporate take-outs. They provide a way to play with enterprise gear without paying "new" cost. They also generally provide more capacity and reliability than consumer gear. Check with your IT aquaintances.

@gearboxworks Год назад

@@scotta.3866 - Thanks. BTW, since I commented as month ago I have done a lot of research and ended up ordering two new Microtik switches; one with lots of 1GBe ports + 2 SFP+ ports, and another with support for eight SFP+ ports. I decided against used enterprise equipment for a variety of reasons; 1.) noise and power usage, 2.) the hidden gotchas of enterprise licensing that can be discovered *after* purchase (I've been watching Patrick Kennedy discuss that on his ServeTheHome channel), 3.) the uncertainty of buying used, and 4.) because the Microtik switches are a really good deal new. I also like that Microtik switches have both a CLI and a web UI (as well as a Windows GUI but I doubt I'll use that.) Anyway, I haven't set them up yet but will be doing so in the near future.

@vsulli Год назад

First 🥇!!!

@AdrianuX1985 Год назад

Last!!

@garyrowe58 20 дней назад

Why did you start creating VLANs before giving any explanation of what a vlan is and why you might want to have them?

@fbifido2 Год назад

-what about Proxmox VE 7.2 vm firewall?? --- is that micro-segmentation??

@VirtualizationHowto Год назад

Microsegmentation is usually handled with a software-defined solution. It allows having a mini firewall protecting every host on the network. You can use virtual firewalls to segment traffic but it does not scale very well.

@fbifido2 Год назад

@@VirtualizationHowto OK, i see what you mean, the scale part. So, if Proxmox can centralize it's VM firewall configuration plus add firewall templates/rules for the VM & allows the template/rules to follow the VM from host to host, then it would scale ???

@VirtualizationHowto Год назад

fbi fido - It is really a limitation of all types of virtual firewalls. As mentioned in the video, traffic needs to be routed through a firewall for the filtering rules to be applied. If you have two VMs on the same VLAN with a pfsense virtual firewall protecting them, the firewall can't intercept traffic between them IP to IP on the same VLAN. You would have to have a pfsense firewall setup for every single virtual machine and each would have to be on their own VLAN to intercept traffic between them. VMware NSX installs specialized VIB files on each ESXi host allowing even layer 2 traffic between two VMs to be filtered and rules set up to filter that traffic which provides a much more efficient and practical way to filter that traffic.

@fbifido2 Год назад

@@VirtualizationHowto "You would have to have a pfsense firewall setup for every single virtual machine", is that not how Proxmox is setup ???, each host has a firewall, each VM has a firewall, even if no routing at the firewall layer.

@VirtualizationHowto Год назад

fbi fido, ah yes, I read pfsense instead of Proxmox in your message. Yes I do believe the Proxmox centralized firewall can protect VMs with rules as well. I haven't delved into testing this, but if so, would be similar. I am not sure how it handles intra-VLAN traffic, etc. From what I see, NSX provides superior capabilties (identity-based rules, etc) but this would be a viable option. I am looking at the documentation here: pve.proxmox.com/wiki/Firewall