Home Lab Network Security! - vlans, firewall, micro-segmentation
Рет қаралды 44,586
Күн бұрынOne of the most important aspects of building out your home lab environmment is giving attention to your home network design. Network segmentation is a core component of securing your home lab network, segmenting traffic, and protecting your network resources. In the video we talk about how to properly design your network with VLANs, using a firewall to filter traffic from specific resources
Subscribe to the channel: / @virtualizationhowto
My blog:
www.virtualizationhowto.com
_____________________________________________________
Social Media:
/ vspinmaster
LinkedIn:
/ brandon-lee-vht
Github:
github.com/brandonleegit
Introduction - 0:00
Talking about VLAN basics - 1:37
How many home lab networks are designed - 3:35
How an attacker can pivot in a un-segmented network - 4:43
Beginning the creation of VLANs - 5:36
Showing the existing VLANs on a switch - 6:01
Running the commands to create a new VLAN - 6:25
Configuring a switchport as an access port for the newly created VLAN - 7:15
Testing out connectvity between two PCs and seeing how VLANs work - 7:59
Testing connectivity with ping commands - 8:37
After adding the additonal port to the new VLAN - 9:25
Overview of a network design using multiple VLANs 9:54
Using firewall rules to filter traffic between VLANs - 11:44
Looking at firewall rules and associating those to different interfaces - 12:42
Adding a firewall rule for a particular interface and blocking traffic between VLANs - 12:59
Looking at micro-segmentation within a VLAN - 14:01
Limitations of firewall filtering - 14:27
Creating a layer 2 segment (logical switch) - 15:05
Looking at creating a distributed firewall rule - 15:31
Adding Active Directory to NSX Manager - 15:44
Thinking about the possibilities - 16:28
Covering the basics and wrapping up - 16:56
pfSense proxmox installation and configuration:
www.virtualizationhowto.com/2...
pfSense VLAN to VLAN routing:
www.virtualizationhowto.com/2...
Segment your network with pfSense:
www.virtualizationhowto.com/2...
Enable VMware NSX-T distributed IDS configuration:
www.virtualizationhowto.com/2...
Identity based firewall with VMware NSX-T:
www.virtualizationhowto.com/2...
@GottaLovePartyin Жыл бұрын
as someone with minimal cybersecurity background (but quickly developing a personal & professional interest in it), this video was incredibly helpful!! thank you!!
@bxchris Жыл бұрын
Always a great feeling when someone helps you close a gap in knowledge. Thank you
@VirtualizationHowto Жыл бұрын
Christopher, wow that is kind of you to say. Glad it helped! Thanks for watching.
@RK-xm6dd 7 ай бұрын
really good content, thank you for sharing!
@bsl2501 4 ай бұрын
Thank you for the video and especially also taking it to further depths. One thing I really like with (corporate grade) Wi-Fi networks is Client Isolation.
@alieninstallation50 5 ай бұрын
Thanks for the video!
@nulatium7868 Жыл бұрын
This is material I wish I could find covered at this level. I never finished chasing down VLANs and this encourages me to finish setting some up. Would look forward to anything covering Reverse Proxy solutions like NPM or Traefik while running containers on hosts and virtualized systems in Proxmox or another hypervisor. Thank you for your efforts.
@VirtualizationHowto Жыл бұрын
Nulatium, glad you liked this! I like doing these deeper dives into networking as it is a core concept that is often missed
@circuithijacker Жыл бұрын
Excellent material!
@VirtualizationHowto Жыл бұрын
Glad you enjoyed it!
@stevenehairston8323 Жыл бұрын
Great explanation!
@VirtualizationHowto Жыл бұрын
Steven, glad it was helpful!
@MrMattcze Жыл бұрын
Thanks! That's really informative.
@VirtualizationHowto Жыл бұрын
Mateusz, thanks for the comment and glad it was helpful!
@babeksaber2702 7 ай бұрын
Thank you
@JasonsLabVideos Жыл бұрын
Awesome Video sir !
@VirtualizationHowto Жыл бұрын
Thanks Jason
@JasonsLabVideos Жыл бұрын
@@VirtualizationHowto YES ! :P
@xythonDe 8 ай бұрын
The created rule only blocks IPv4 TCP traffic. It's important to change this default. Otherwise the network is fully reachable over UDP or IPv6. 13:35
@tcasex 7 ай бұрын
14:03 this level of detail within proxmox running docker containers would be great...I have my "group" of servers segmented via vlans, but I wanted to micro-segment the containers running within. Docker networking is something made of magic...would be cool if you could share any knowledge on this.
@FarhanAhmedClicks Жыл бұрын
Hello Sir, I just installed pfsense in my pc and everything is working just fine except Captive Portal. I watched many tutorials and setting up things just like them or guided in tutorial but my case is when I enable captive portal it asks for username and passwords and voucher but when I try to input voucher codes it says invalid voucher. I tried to change rsa keys and reconfigured and reinstalled the whole setup but still I am on a same stage. Can you please guide me.
@brandonculler8550 Жыл бұрын
Hey Brandon, I'm digging the channel. I appreciate the details & importance you place on using the correct terminology & restating acronyms & explaining them. I have a request or idea of something that I believe would make for good content. Can you PLEASE do a video on distributed switches from Vcenter. I can't for the life of me understand why I have to move the vmkernel to the distributed switch group. Im starting to think maybe I don't understand what a vmkernel really is used for. But what of I want that interface to be a dedicated interface for ESXi (i.e. no host).. and I want my host on a seperate interfaces (which btw I thought in video of how to protect your ESXi host from ransomware was one of your BP recommendations). And can you please explain why in the WORLD my only option to install Vcenter is on the ESXI host that it's managing?????? Really VMWare???? It makes doing the upgrade from Vcenter on that ESXi host, virtually impossible. There has to be a best practice there I'm missing. Keep up the good work & I look forward to your responses!!!!
@VirtualizationHowto Жыл бұрын
Brandon, thanks for the comment and questions! Lots of topics in the questions you posed. Distributed switches place the management of your virtual networking at the vCenter level which makes things a lot easier if you are managing multiple ESXi hosts with the same port groups, etc. So in other words, you don't have to manually create standard port groups on each ESXi host, you can instead simply add the host to the distributed switch and it automatically inherits all the port group settings, etc. However, this is a mixed bag of features vs. disaster recovery. Distributed switches can become a nightmare if you lose vCenter as it houses the configuration for the switches. The switches won't be automatically wiped out, however, you will have a situation with orphaned and ghosted distribusted switches. I still use Distributed switches heavily, however, I usually keep a single standard switch configured with an uplink just for disaster scenarios. Also, it isn't an absolute requirement that vCenter is housed on the same ESXi hosts that it manages. You can house vCenter anywhere as long as it has network connectivity to the hosts it manages. It is common to see vCenter housed on the same ESXi hosts it managed though. The way this works is you have a cluster of ESXi hosts. You vMotion the vcenter SErver to a different host if you are upgrading a host in the cluster. You keep working your way through the hosts until they are all updated. There are also automated processes to take care of this whole process if you want it to be fully automatic. Upgrading vCenter Server itself, is also not bad either as you deploy the new vCenter Appliance and use direct ESXi host connections during the upgrade process instead of connecting to vCenter itself. I hope this helps with most of your questions. let me know! Thanks again.
@marksep5294 8 ай бұрын
7:11 What is the command used here to pick port interface f0/1? The video jumped, didn't show the command.
@Stigmata195 6 ай бұрын
Hey Man, nice video but... Your intro tune made me allmost deaf as your voice's volume's is much lower...
@etienneb4403 5 ай бұрын
Informative video. Thanks you. Regarding vlans, wasn’t the purpose using only 1 cable? If you close ports for exclusive use to say vlan100, i would need multiple cables i guess? And did the cisco switch provide DHCP or the internet router?
@VirtualizationHowto 5 ай бұрын
@etienneb4403 thank you for the comment! Yes VLANs have many benefits, including using only a single uplink, but also network segmentation for different traffic types. Let me know if you have more detailed questions, please hop over to the VHT forums here and we can discuss further: www.virtualizationhowto.com/community
@vsulli Жыл бұрын
First 🥇!!!
@AdrianuX1985 Жыл бұрын
Last!!
@ziqif3407 7 ай бұрын
What software are you using to show us the Cisco command and router interfaces at 9:07?
@VirtualizationHowto 6 ай бұрын
@ziqif3407, shoot me a message over on the forums here and let's talk shop: www.virtualizationhowto.com/community. Thank you again.
@CodingWithJerry-fn4cv 7 ай бұрын
I have 3 devices that discover each other on the same network using NDI. I have issue where I am in a large office where devices can't find each other. IT will not fix this. Any work arounds
@VirtualizationHowto 6 ай бұрын
@codingwithjerry-fn4cv Thank you for the comment! Sign up on the forums and I can give more personalized help here: www.virtualizationhowto.com/community
@mikeschinkel Жыл бұрын
This was eye-opening. I have been in tech for 30+ years as a developer and still didn't understand VLANs. With your tutorial, I think I understand them now. So I figured I would segment my lan but I think my switches don't support VLAN, and when I started looking for a switch that does it seems only high-end (read: very expensive) switches support VLAN. For a home lab, what are some switches we can consider getting? Do we need to go with CISCO and learn how to program them? Or are there other acceptable options. Thanks in advance for taking the time to answer. Even better if you can do a video about switches (or point me to one you've already done?)
@VirtualizationHowto Жыл бұрын
Mike, this might be a good topic for a video for sure. There are cheaper switch models out there that support VLANs, but I am not sure what your budget is. Cisco is certainly the favorite for those that like the Cisco CLI as it is the industry standard. However, you don't have to go with Cisco, their CLI is just the most popular. ONe thing you run into with cheap switches is they are often what they refer to as unmanaged and not capable of more advanced features. Look for a managed switch with CLI access. The Cisco small business switches are actually not terribly expensive, depending on what port count you need. Unfortunately, the supply chain issues have driven the prices of even those switches much higher.
@mikeschinkel Жыл бұрын
@@VirtualizationHowto - I am fortunate at this time to have a budget of whatever I can convince myself I should buy if it can help me get better in my career, within reason of course! One idea I had was to get a managed switch with a smaller number of ports and daisy-chain the unmanaged switches I have for different VLANs, maybe?
@scotta.3866 Жыл бұрын
@@mikeschinkel I might recommend looking at used, corporate take-outs. They provide a way to play with enterprise gear without paying "new" cost. They also generally provide more capacity and reliability than consumer gear. Check with your IT aquaintances.
@gearboxworks Жыл бұрын
@@scotta.3866 - Thanks. BTW, since I commented as month ago I have done a lot of research and ended up ordering two new Microtik switches; one with lots of 1GBe ports + 2 SFP+ ports, and another with support for eight SFP+ ports. I decided against used enterprise equipment for a variety of reasons; 1.) noise and power usage, 2.) the hidden gotchas of enterprise licensing that can be discovered *after* purchase (I've been watching Patrick Kennedy discuss that on his ServeTheHome channel), 3.) the uncertainty of buying used, and 4.) because the Microtik switches are a really good deal new. I also like that Microtik switches have both a CLI and a web UI (as well as a Windows GUI but I doubt I'll use that.) Anyway, I haven't set them up yet but will be doing so in the near future.
@fbifido2 Жыл бұрын
-what about Proxmox VE 7.2 vm firewall?? --- is that micro-segmentation??
@VirtualizationHowto Жыл бұрын
Microsegmentation is usually handled with a software-defined solution. It allows having a mini firewall protecting every host on the network. You can use virtual firewalls to segment traffic but it does not scale very well.
@fbifido2 Жыл бұрын
@@VirtualizationHowto OK, i see what you mean, the scale part. So, if Proxmox can centralize it's VM firewall configuration plus add firewall templates/rules for the VM & allows the template/rules to follow the VM from host to host, then it would scale ???
@VirtualizationHowto Жыл бұрын
fbi fido - It is really a limitation of all types of virtual firewalls. As mentioned in the video, traffic needs to be routed through a firewall for the filtering rules to be applied. If you have two VMs on the same VLAN with a pfsense virtual firewall protecting them, the firewall can't intercept traffic between them IP to IP on the same VLAN. You would have to have a pfsense firewall setup for every single virtual machine and each would have to be on their own VLAN to intercept traffic between them. VMware NSX installs specialized VIB files on each ESXi host allowing even layer 2 traffic between two VMs to be filtered and rules set up to filter that traffic which provides a much more efficient and practical way to filter that traffic.
@fbifido2 Жыл бұрын
@@VirtualizationHowto "You would have to have a pfsense firewall setup for every single virtual machine", is that not how Proxmox is setup ???, each host has a firewall, each VM has a firewall, even if no routing at the firewall layer.
@VirtualizationHowto Жыл бұрын
fbi fido, ah yes, I read pfsense instead of Proxmox in your message. Yes I do believe the Proxmox centralized firewall can protect VMs with rules as well. I haven't delved into testing this, but if so, would be similar. I am not sure how it handles intra-VLAN traffic, etc. From what I see, NSX provides superior capabilties (identity-based rules, etc) but this would be a viable option. I am looking at the documentation here: pve.proxmox.com/wiki/Firewall
@garyrowe58 Ай бұрын
Why did you start creating VLANs before giving any explanation of what a vlan is and why you might want to have them?
Techno Tim
Рет қаралды 205 М.
Home SysAdmin
Рет қаралды 19 М.
Erdes Cars
Рет қаралды 8 МЛН