Friday, June 15, 2012

ESXi Security Lab

Late last year, I set about building a new virtualization platform to serve as my security lab. Since the advent of Microsoft Hyper-V and VMware ESXi, I had been eager to start using a pure hypervisor solution rather than just VMware server and workstation.

I started my research on VMware ESXi and soon had it running nested within VMware workstation so I could get a sense of how to install and configure the basics. Reading blogs and forums (HardOCP's virtualized computing forum was especially helpful), helped me assemble a list of parts that would make up my ESXi security lab. I had a few requirements, but the most important one was stability. I had read reports of problems with non-compatible hardware and I wanted to ensure that my time would be spent productively working on my virtual machines rather than fighting with ESXi.

After assembling the system hardware and testing basic functionality, it was time to install ESXi. This took no more than 15 minutes. It was incredibly simple. It involved booting from the ISO and pointing the installer to the USB drive for the OS, and then let setup take care of the rest. ESXi was up and running and I was logging into virtual center about 20 minutes after I had started the installation. I initially installed ESXi 4.x, but soon upgraded to ESXi 5. This process was equally straightforward.

The diagram below is a logical representation of the current state of my security lab. Its not 100% technically accurate but provides an overview of the architecture. I created a self-contained, deliberately insecure set of networks populated with vulnerable hosts and systems, while keeping them segregated from my internal "production" systems and home network.

I have three separate host-only networks configured. Each network is assigned to a virtual switch and has a Endian Firewall with two interfaces. The firewalls are precisely configured to allow and deny strategic ports and protocols to pass between the three malnet networks enabling a variety of attack scenarios. The front-end Endian firewall that separates the virtual and physical networks is configured to avoid any contamination from the vulnerable/exploited/infected hosts on the malnet networks.

Each of the malnet networks and the DMZ honeynet are monitored by Snort intrusion detection sensors. I use the excellent open source IDS package, Security Onion, as the lab's core IDS. Security Onion combines open source security packages Snort and OSSEC with the security management consoles squil, Snorby and SQuert to make one great security monitoring Linux distro. ESXi virtual interfaces and switches make it easy to assign IDS monitoring interfaces to any of the virtual networks on the fly.

The malnet networks are populated with some of the deliberately vulnerable OS images available on the internet, such as metasploitable and Kioptix. I am also creating my own set of vulnerable virtual hosts and services which are designed to be exploited in interesting and clever ways. The malnet02 network, for example, contains a poorly configured and largely unpatched Windows 2003 AD domain controller that is running several vulnerable services. Attacking and exploiting hosts like this is a great way to keep your offensive skills sharpened while deepening your understanding of how to defend.

The internet firewall for my home network is a Cisco ASA 5505 with an enterprise security license. This enables me to assign a physical port on the firewall as a DMZ interface. I connected this interface to one of the ethernet interfaces in ESXi and assigned it to a virtual switch. I can now connect any virtual machine to the DMZ switch and with a few clicks can place it in the DMZ honeynet network. The network currently has one host running a honeypot. The ASA is configured to allow inbound traffic on a variety of ports (TCP 21,22,110,1433,3389) to the DMZ from the internet.

For wireless hacking research and practice, I added a WRT54G Linksys wireless router configured as an access point with default Linksys firmware. I can use the ALFA USB card attached to my laptop or I can connect the ALFA attached to the ESXi box to any virtual host and attack the wireless network from a VM.

Here is a screenshot of the ESXi Summary page in Virtual Center:

A complete list of the hardware I used for the ESXi server is listed below.

The hardware I chose was one generation behind when I purchased it last November. The parts I chose are widely in use and generally accepted to be compatible with ESXi. This was the most important factor - building the system with proven hardware components and avoiding any incompatibilities.

Intel Xeon X3450 2.67GHz. This CPU is a quad core. With hyper-threading enabled, it provides eight usable logical processors in ESXi. I let ESXi manage the CPU distribution but I can alocate virtual machines to individual logical processors if I need to. I have been impressed with how efficiently ESXi allocates memory and CPU; aside from assigning memory to virtual machines, I let ESXi handle all the resource allocation.

Supermicro X8SIL. This board and its well proven with ESXi. It has an integrated IPMI interface which enables "lights-out" style management of the system. IPMI is essentially a web interface to control the system via software running on the motherboard. This enables me to power cycle the system or view the local console remotely. I looked at it once and have not had reason to look again.


32GB (4 x 8) Kingston ECC registered DDR3.
I spent a lot of time researching memory for the system making absolutely sure it was compatible with ESXi and the Supermicro motherboard. This memory is on the VMware HCL.

2 x Seagate Barracuda 1 TB 7200 rpm hard drives. I have always found Seagate drives to be quiet and reliable and these drives are no exception. I have no need for RAID in my lab so I installed both as storage in ESXi. My VMs sit on one, and my ISOs and some backups are on the other. A simple and effective arrangement.

ESXi runs from an 8 GB USB key. The Supermicro has a USB port directly on the motherboard, so it's connected there and hidden away in the case. Its easy to back up my ESXi OS and configuration by simply imaging the USB key.

The motherboard has two physical ethernet interfaces (three if you count IPMI) and I added an Intel dual port Gigabit NIC (82546EB) I had from another system for a total of four usable physical interfaces. An ALFA networks wireless adapter is attached to ESXi via USB.

The ESXi adapters hosting the malnet networks are connected to a Cisco SG300 10 port managed switch. I have enabled layer three routing on this device so I can route between VLANs on the switch. The switch can be managed with a web interface or via the command line.

Power Supply:
I used a Cooler Master GX 450W for a power supply as it was reasonably priced and had excellent reviews. It's also whisper quiet, which was another one of my requirements for the system.

Overall, I am very happy with my ESXi lab. A sandbox to run attacks and test defenses is an essential tool for anyone who wants to learn and keep their offensive and defensive security skills sharp.


  1. Greetings.

    What is the model of the ram you purchased?

  2. Hi there.

    I used two sets of Kingston KVR1066D3Q8R7SK2/16G.

  3. Looks like a nice setup. Which case and video card are you using? Also, I know it depends on a number of things, but about how many VMs are you able to run at the same time?

  4. I can comfortably run 20 or so VM's. Obviously this depends on what each VM is doing. In my case many are idle. I used a fairly generic case and the video card embedded on the motherboard.

  5. What do you use for your honeypot? Any particular package or is it just a vulnerable system that you monitor?

  6. at the risk of sounding silly, is there any chance you could upload it somewhere (I know it gotta be huge...) but I would love to attack the network without knowing it's configurations....

  7. Thanks for sharing your lab setup! Its incredibly useful! Can you tell where you got the icons for your lab diagram? Thanks.

  8. ESXi was up and running and I was logging into virtual center about 20 minutes after I had started the installation. I initially installed ESXi 4.x, but soon upgraded to ESXi 5. This process was equally straightforward. The FSS website