Home Lab for IPS/IDS, SNORT, PFSENSE etc or a commercial product?

I need to get more hands on experience of IPS/IDS, FIREWALLS, SIEM etc. and was wondering should I choose option 1 or 2.
1. Set up home lab on old but powerful PC with Virtualbox, SNORT, SURICATA, pfsense and Splunk.
2. Try to find a similar configuration available commercially (cloud?) which will help me come upto speed without hassles.
Those of you who have tried similar setups, what would you recommend? Which path will be least painless and quicker to get me more exposure?

Find more posts tagged with

Comments

Kapital

Please PM me if anyone has experience of setting up home lab and can walk me through the basic usage of packet capture, event triggers etc. to understand the devices. I can do it myself but obviously will stumble several times. Instead, I can happily pay for your time and effort.

paul78

Try this:
https://securityonion.net/
https://www.youtube.com/channel/UCNBFTyYCdjT5hnm7uW25vGQ/videos
https://www.youtube.com/results?search_query=security+onion

Kapital

paul78 wrote: »

Try this:
https://securityonion.net/
https://www.youtube.com/channel/UCNBFTyYCdjT5hnm7uW25vGQ/videos
https://www.youtube.com/results?search_query=security+onion

paul78 - Thanks a lot for the youtube links. I did come across them earlier but noticed that there will be lot of hair pulling involved if I tried to do it myself

hence the request to engage someone experienced.
if push comes to shove then I will roll up the sleeves.

cyberguypr

I have to put here what I told you via PM for the benefit of others. Tust me, you don't want anyone to do this for you. The greatest value for you IS that hair pulling. Sure someone can do it and then you look at the results, but deploying this and banging your head against a wall will be the best experience you can get. You know what they say: no pain, no gain.

paul78

cyberguypr wrote: »

I have to put here what I told you via PM for the benefit of others. Tust me, you don't want anyone to do this for you. The greatest value for you IS that hair pulling. Sure someone can do it and then you look at the results, but deploying this and banging your head against a wall will be the best experience you can get. You know what they say: no pain, no gain.

I will second that statement.

@Kapital - if your intent is to learn the technology - there is no substitute for doing it yourself. And when you are stuck - that's a good time to ask the question.

tedjames

You'll learn and retain more by doing it yourself. I usually document these things so I'll have a repeatable process. You might not need to perform a specific task for another year; so if you document the process, you won't have to relearn.

yoba222

The book titled Building Virtual Machine Labs by Tony Robinson covers everything you're looking for.

victor.s.andrei

Kapital wrote: »

I need to get more hands on experience of IPS/IDS, FIREWALLS, SIEM etc. and was wondering should I choose option 1 or 2.
1. Set up home lab on old but powerful PC with Virtualbox, SNORT, SURICATA, pfsense and Splunk.
2. Try to find a similar configuration available commercially (cloud?) which will help me come upto speed without hassles.
Those of you who have tried similar setups, what would you recommend? Which path will be least painless and quicker to get me more exposure?

Install Snort and tcpdump on a Debian or Red Hat AMI in your own VPC in the AWS cloud. Use t2.micro instances or t2.nano instances - they are both inexpensive or free (if you sign up for the AWS Free Tier).

Cut your teeth on them. Don't go straight for the GUI applications. Google can be your friend.

Bonus points if you get Kerberos, LDAP, NFS, and BIND/ISC DHCP set up too.

victor.s.andrei

paul78 wrote: »

I will second that statement.

@Kapital - if your intent is to learn the technology - there is no substitute for doing it yourself. And when you are stuck - that's a good time to ask the question.

I can third that statement!

There's a reason that it's challenging to teach troubleshooting (or debugging, if you're managing software code) - the only way to really learn it is, well, trial by fire. Better to experience trial by fire for the first time in a lab than in a production environment as the primary on-call at a Fortune 500, LOL.

airzero

I just bought an old HP proliant from Ebay (savemyserver.com has some great deals) and set up an small active directory environment on it. Once the domain was up and running, I added in a security onion server and throw a few sensors in the network for monitoring. Now I run through red teaming type scenarios using Kali linux and other tools (Powershell Empire, Cobalt Stike, etc.) to practice my pentesting skills, then go back and look through the alerts from snort and logs in the ELK stack. Great experience for learning more about windows, firewalls, routing, etc. as well as offensive/defensive practice. All it cost me was $200 and a bunch of time.

Edit: The server may be a bit big and loud as a home lab, but I compensate by only having it turned on only when I'm using it so it's really not that bad.

Kapital

I have managed to installed security onion but still facing configuration issues as mine is all in virtual box. I wish we had some cyber security labs setup for intrusion detection, SIEM, NSM etc. which one could access via web to practice the skills. Vulnhub is a similar lab that I know of but i dont think anyone has a lab similar to yours.

airzero wrote: »

I just bought an old HP proliant from Ebay (savemyserver.com has some great deals) and set up an small active directory environment on it. Once the domain was up and running, I added in a security onion server and throw a few sensors in the network for monitoring. Now I run through red teaming type scenarios using Kali linux and other tools (Powershell Empire, Cobalt Stike, etc.) to practice my pentesting skills, then go back and look through the alerts from snort and logs in the ELK stack. Great experience for learning more about windows, firewalls, routing, etc. as well as offensive/defensive practice. All it cost me was $200 and a bunch of time.

Edit: The server may be a bit big and loud as a home lab, but I compensate by only having it turned on only when I'm using it so it's really not that bad.