Secure Networking - A Company Network Project on Open-Source
Practice building a company-like network project on GNS3 using Linux nftables firewall cluster, PacketFence NAC, pfSense, strongSwan IPSec, and Wireguard VPN, Learn network security, pentest, Kali Linux, and Wireshark
Course Curriculum
(15.5 hours)
- Network Topologies - Bus, Ring, Mesh and Hybrid (5:52)
- Network Types - LAN, WLAN, WAN, SAN, MPLS and SDWAN (4:26)
- OSI Network Model vs. TCP/IP Model (8:38)
- Network Protocols and Services (8:04)
- IP Addressing (10:17)
- IP Subnetting (5:37)
- Routing - ANDing, Default, Static, Dynamic Routes (10:17)
- Switching - VLANs, STP, LAG and MLAG (12:28)
- Network Architecture - 3 Tiers vs. Spine Leaf Design (4:15)
- Part 1: 50 "must-know" shell commands working on any Unix-like OS since 70s (14:23)
- 50 years of Unix-like heritage: Research Unix, BSD, GNU, Linux and macOS (5:17)
- Part 2: 50 "must-know" shell commands working on any Unix-like OS since 70s (10:36)
- Part 3: 50 "must-know" shell commands working on any Unix-like OS since 70s (15:44)
- Part 4: 50 "must-know" shell commands working on any Unix-like OS since 70s (9:24)
- vi basics - a ubiquitous screen-oriented text editor on any Unix-like OS (13:21)
- net-tools and/or iproute2 - Networking tools on any Unix-like OS (4:35)
- Quick-tour of packet capture analysis (9:27)
- Clarifying Wireshark vs. TShark vs. TermShark vs. TCPDump (27:30)
- Why learning packet analysis? A use-case exposing RCE attack payload (7:37)
- Installing Wireshark, Termshark, TShark and TCPDump on Kali Linux (3:16)
- Installing Wireshark and TShark on MS Windows (6:27)
- TCPDump use-cases: credentials, Cookies, headers, URL, remote packet capture (23:08)
- Wireshark interafce walkthrough and possibilities (26:47)
- Wireshark filters, syntax glossary, PCAP investigation, chaining, HTML rebuild (32:21)
- TCP/IP Model revisited in Wireshark (13:07)
- Packet analyses with PCAP visualization (17:27)
- Capturing packets on GNS3 links using Wireshark (10:28)
- Important Note: Cumulus Linux Version Upgrade
- Nvidia Cumulus Linux - An Open-Source Linux-based Switch (2:30)
- Headquarters - Creating physical connectivity with spine-leaf design (5:19)
- Headquarter - Adding Alpine Linux clients (6:03)
- Headquarter - Layer 2 Configuration - Interfaces and VLANs - Part 1 (9:06)
- Headquarter - Layer 2 Configuration - Interfaces and VLANs - Part 2 (7:17)
- Headquarter - Spanning Tree Protocol (STP) on Cumulus Linux switches (7:41)
- Headquarter - Creating virtual layer 3 interfaces for management VLAN (5:46)
- Headquarter - Configuring Bond interfaces, LAG and MLAG in Cumulus Linux - P1 (10:25)
- Headquarter - Configuring Bond interfaces, LAG and MLAG in Cumulus Linux - P2 (7:52)
- Branch Office - Network Prepration in GNS3 (2:13)
- Branch Office - Switches Trunk & Access ports, VLAN interfaces, Bonds & MLAG (14:34)
- READ ME FIRST
- Headquarter - Create a custom VM for the openSUSE Linux Server cluster (5:34)
- Headquarter - Change network adapters type to Paravirtualized Network I/O (1:24)
- Headquarter - Creating bond interfaces on openSUSE Linux with LACP mode (15:19)
- Headquarter - Troubleshooting inter-cluster Bond connectivity issues on Linux FW (10:58)
- Headquarter - Configure MLAG on Cumulus switches for firewall cluster bond links (7:03)
- Headquarter - Configure virtual VLAN interfaces on linux firewall cluster (13:16)
- Headquarter - Disable IPv6 on the Linux firewalls (0:56)
- Headquarter - Installing keepalived (VRRP) on both OpenSUSE Linux firewalls (4:14)
- Headquarter - Configuring keepalived (VRRP) for OpenSUSE firewall HA cluster (12:35)
- Introduction to netfilter framework - Part 1 (8:59)
- Introduction to netfilter framework - Part 2 (6:38)
- Headquarter - Change default policies of iptables chains to explicit drop (4:47)
- Create IPTables service on openSUSE firewall cluster & TShooting the service (13:16)
- Headquarter - Create iptables service on the slave firewall (2:20)
- Headquarter - Providing internet to VLAN 20 using MASQUERADE NAT rules (12:12)
- Headquarter - Configure Linux DHCP Server to assign each VLAN's own IP range (10:26)
- Headquarter - Start creating Inter-VLAN iptables rules on OpenSUSE FW cluster (9:19)
- Headquarter - Continue creating Inter-VLAN iptables policies on firewall cluster (12:32)
- Headquarter - Creating iptables DNAT rules to publish web server from DMZ VLAN (7:00)
- Headquarter - Restrict & log SSH Brute-force attacks with iptables RECENT module (6:54)
- Headquarter - Visualize iptables rules with gressgraph (2:03)
- Headquarter - nftables basics (9:07)
- Headquarter - Transform iptables rules into nftables & create an nft service, P1 (9:28)
- Headquarter - Transform iptables rules into nftables & create an nft service, P2 (4:33)
- Headquarter - Restrict SSH Brute-force attacks for 5 minutes with Linux nftables (8:16)
- Branch Office - Installing pfSense machines in GNS3 (4:10)
- Branch Office - Reassigning the interfaces and start the initial pfSense config (5:19)
- Branch Office - Configure pfSense interfaces, LAGG, VLAN interfaces and pfSync (11:06)
- Branch Office - Setup pfSense High-Availibity & MLAG between Cumulus and pfSense (14:56)
- Branch Office - Configure pfSense DHCP server for clients and management VLANs (5:12)
- Branch Office - Create aliases in pfSense and add floating & VLAN firewall rules (12:31)
- Branch Office - Create Inter-VLAN rules from Clients and Mgmt to DMZ on pfSense (5:36)
- Branch Office - Setup UFW on Ubuntu Web server in DMZ & test inter-VLAN access (9:12)
- Branch Office - DNAT or Reverse NAT for web server access in DMZ from internet (3:35)
- Setup Site to Site VPN between OpenSUSE Linux and pfSense using Strongswan - P1 (17:15)
- Setup Site to Site VPN between OpenSUSE Linux and pfSense using Strongswan - P2 (11:32)
- Troubleshooting Site to Site IPSec VPN between OpenSUSE Linux and pfSense (4:15)
- Preparing OpenVPN server on pfSense - CA server, certificate & export plugin (5:39)
- Setup OpenVPN remote access on pfSense & setup home-office Ubuntu OpenVPN client (17:00)
- Setup WireGuard VPN between OpenSUSE firewall and Ubuntu as remote IoT client (15:28)
- How NAC works? EAP, EAPoL, RADIUS, dot1x - P2 (4:19)
- How NAC works? EAP, EAPoL, RADIUS, dot1x - P1 (12:05)
- Installing PacketFence NAC Server on a Debian Linux (10:51)
- Initializing PacketFence Web Configurator (9:10)
- Deplying Network Access Server (NAS) and FreeRADIUS with MAB Profiles (9:47)
- Configure IEEE 802.1X, Parking & Dynamic VLAN assignment on Cumulus Linux Switch (11:16)
- Reconnaissance of headquarter network using NMAP (10:52)
- Introduction to penetration testing for this project (6:08)
- Implementing SSH brute force against headquarter using our NMAP findings (13:44)
- ARP Poisoning attack to capture headquarter network traffic e.g. credentials (14:32)
- DHCP starvation attack agains OpenSUSE DHCP server in headquarter (DOS attack) (8:19)
- DHCP spoofing by Yersinia in headquarter to deviate the network gateway and DNS (8:27)
Course description
When it comes to open-source, the sky is the limit!
In a nutshell, you will build a company-like network with headquarter and branch office on Unix-like OSs and open-source tools, then try to hack its vulnerabilities.
From switches to endpoints, clustered firewalls, servers incl. Network Access Control, shortly NAC server, jumpers, and anything else are all built on a flavor of Linux OS such as openSUSE, AlpineLinux, Debian, Ubuntu, etc., or a Unix-like OS such as FreeBSD.
Network security should be embedded into the nature of the corporate's network and that is what we learn in this course.
We do not care much about vendors and logos, but practical concepts. For example, we dive into Shell commands, TCP/IP and networking fundamental concepts, and core network security principles using open-source, yet industry-proven products.
We aim to teach you how standard networking concepts are "designed" and are also "applied" in work environments.
Why a pure Linux-based network? Besides the fact that Linux runs the world, if you learn the secure networking using Linux, Unix, and open-source tools, you will feel pretty confident about their commercial equivalents. For example, if you learn network firewalling using iptables and nftables, you won't have any issues with Cisco FirePower, FortiGate, or Juniper firewalls.
As said, we are not into vendors, we are interested in standardized theoretical concepts and practical technics. This method will give you a firm conceptual understanding of underlying technologies and ideas about how finished products like Cisco switches, Fortigate Firewalls, Cisco ISE NAC, HPE Aruba, and so on, actually work behind the scene.
In the end, you will run the most common network attacks using Kali Linux against the network you built yourself.
Your Learning Key-Terms:
Virtualization
GNS3 Lab (with Hyper-V & VirtualBox Integration)
TCP/IP
OSI Model
Network Topologies
IP Subnetting
VLAN
Traffic Tagging
Trunking
NIC Teaming
LAGG (Link Aggregation)
MLAG (Multi-Chassis Link Aggregation)
Bond Modes: Active-Backup, 802.3ad (LACP)
Bridging
Spanning Tree
Inter-VLAN Routing
Routing & ARP Tables
MAC Flood
IEEE 802.1X & MAB (MAC Address Bypass)
Network Access Control (NAC)
PacketFence (Open Source NAC)
Extensible Authentication Protocol (EAP) (EAPoL)
RADIUS (FreeRADIUS)
Linux Open Source Networking
Nvidia Cumulus Linux Switch
openSUSE Linux
Ubuntu Linux
Alpine Linux
Linux Shell Command Line
Firewalls
Netfilter Framework
Packet Filtering
iptables
nftables
Packet Capture Analysis
Wireshark, TShark, Termshark, and TCPDump
Linux Clustering
keepalived
VRRP
ConnTrack
Virtual Private Network (VPN)
OpenVPN
strongSwan IPSec (swanctl)
WireGuard
pfSense Firewall (FreeBSD)
pfSense Cluster
Next-Gen Firewall
Demilitarized Zone (DMZ)
Ethical Hacking Network Attacks and Technics
SSH BruteForce Attack
MITM with Mac Spoofing Attack
MITM with DHCP Spoofing Attack
DOS Attack (POD, SYNFLOOD, BPDUs, CDP)
Yersinia
DHCP Starvation
DNS Spoofing
Offensive Packet Sniffing
ARP spoofing, ARP cache poisoning attack
Network hacking
Cyber security
Network Hardening Solutions
What you’ll learn
- Learn network security, open networking & Linux engineering in one tutorial
- Building up a company-grade segmented network entirely on Unix-like OSs
- Grasp the full picture of the underlying technologies in network security
- Project-based learning of firewall clusters on OpenSUSE Linux as well as pfSense
- Learn about NAC (802.1X, EAP, EAPoL) using PacketFence to reject or accpet clients on switches
- Networking core fundamentals such as Traffic Tagging using VLANs, Trunking, STP, subnetting, LAG, MLAG, etc.
- Learn firewall's core functionalities & be able to work with any firewall, no matter what brand
- Initial to advanced configuration of Nvidia Cumulus Linux switches
- Learn how head & branch offices securely communicate using IPSec site to site VPN
- Learn most common network attacks and penetration testing technics
- Learn underlying cluster technologies e.g. Keepalived & VRRP on Linux
- Practicing network security by segmentation, compartmentalization, & isolation
- Learn how to create different VLANs in a company and control their traffic on each other
- Setting up Linux based DHCP server to serve IP addresses in different VLANs
- Learn network redundency methods e.g. LACP (802.3ad), balance-rr, balance-xor, etc. on Linux, pfSense and Cumulus switch
- Learn how to migrate from iptables to nftables
- Project-based learning of advanced pfSense firewall features
- Project-based learning of packet capture & analysis using Wireshark, TShark, TermShark & TCPDump
- Learn about openSUSE, AlpineLinux, Debian, Ubuntu and FreeBSD
- Implement IPSec VPN on openSUSE using strongSwan
- Configuring openVPN remote access for home office users
- Configuring Wireguard remote access for IoT devices (key based authentication)
- Learn how to harden SSH logins using two-factor authentication (2FA)
- Learn virtualization using VirtualBox and GNS3
- Yersinia attack toolkit
Are there any course requirements or prerequisites?
- No prior programming knowledge required
- Basic IT & networking skills
- A virtualization compatible computer
- Internet connection
- Passionate curiosity for learning (is a must)
Who this course is for:
- Computer Students, learners and enthusiasts
- IT administrators
- Network engineers
- Linux engineers
- Cybersecurity specialists
- Firewall administrators