Distributed virtual machines on different VLANs

the_hutchthe_hutch Banned Posts: 827
in Virtualization
So setting up a security lab to work through CEH and OSCP self-study. I am running all my systems on Oracle VirtualBox on one desktop. So here's the deal. I want my hacking machine (Backtrack 5) to be on a seperate network than my network infrastructure that I plan to exploit. So here is my plan (and I want to know if this will work).

One switch with two different VLANs
Two routers (one for each VLAN) on the switch
Two different NICs on my desktop (one connected to each VLAN).

Then I will configure the network settings on my Backtrack VM to operate using one network interface. And all other VMs will be configured to use the other network interface. (Both will be using Bridged networking)

So the question is...WILL THIS WORK? Can you distribute VMs on different VLANs in this way? Any help would be greatly appreciated. icon_cheers.gif
· Share on FacebookShare on Twitter

Comments

  • ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■■□
    When you say "two routers on the switch" I assume you mean two VLAN interfaces with routing enabled on the switch?
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
    · Share on FacebookShare on Twitter
  • the_hutchthe_hutch Banned Posts: 827
    To be honest, I haven't worked with VLANs much, but was under the impression that a seperate router was needed to communicate between VLANs. But based on your question, I'm assuming that most switches have the capability to route between their own VLANs?
    · Share on FacebookShare on Twitter
  • the_hutchthe_hutch Banned Posts: 827
    But yes, assuming that's an option, I would enable routing between the VLAN interfaces. Assuming I did this, would the configuration work otherwise?
    · Share on FacebookShare on Twitter
  • MentholMooseMentholMoose Member Posts: 1,525 ■■■■■■■■□□
    Only one router is necessary... use either a router with two physical interfaces (one for each network), or one with a single interface that supports VLAN tagging (i.e. "router on a stick"). Also, you may only need a single NIC on your desktop if it supports VLAN tagging (I have not done this with VirtualBox but I would be very surprised if it's not possible).

    However, why do you want the Backtrack VM on a different network? If the goal is to send the traffic through a router, you could simply configure the virtual NIC for the Backtrack VM on a NAT network, in which case your desktop would route the traffic. If you want to avoid sending traffic through NAT, you could attach the Backtrack VM to an internal network, then setup a lightweight "router VM" connected to both that internal network and the regular network (with the target machines) to route the traffic without NAT translation.
    MentholMoose
    MCSA 2003, LFCS, LFCE (expired), VCP6-DCV
    · Share on FacebookShare on Twitter
  • the_hutchthe_hutch Banned Posts: 827
    Cool. Thanks for the insight moose.
    · Share on FacebookShare on Twitter
  • ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■■□
    Maybe I'm off base here as I don't know your complete background, but looking at your cert list and reading your comments, I think you're going about security the wrong way. I think you should become fluent in the systems themselves before you try to start hacking them. You'll have all of these exploit tools, but won't really have an understanding of what they are doing. Security is a high-level discipline, not an entry-level one (which is not to say you should ignore best practices).

    If you want to learn about web server or database security, you should be a web or database guy first.
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
    · Share on FacebookShare on Twitter
Sign In or Register to comment.