Overview of ISERink¶
ISERink is a cyber-security playground designed to provide a realistic network environment that mimics the Internet. At the heart of ISERink is a collection of virtual machines running UNIX with custom software used to implement the ISEAGE virtual network. Several other virtual machines designed to provide various services (i.e. scoring, DHCP, etc.) are also provided.
ISEAGE is a network testbed developed at Iowa State University with funding from the Department of Justice that is designed to allow for the simulation of various network configurations. The core of the ISEAGE testbed is a routable IP network. The routable IP network supports the traffic to and from the networks and systems under test. The routable IP network is accomplished using a custom program called ISEFlow. The ISEFlow is a modified router that creates virtual networks that can be interconnected to create a large virtual network. The ISEFlow can act as a set of virtual routers so that traffic appears to have routed through the Internet.
You can think of ISERink as 45 subnets interconnected using a backbone network to create what we call the Competition Network, see Fig. 2. One physical NIC provides the connection to the Internet for Web traffic, remote access to the scoring system (IScorE), and VM management. In addition, a physical NIC is used for the white team to manage ISERink, and another is used to collect the network traffic.
Fig. 3 shows the topology of the VMs that create the routable Internet (ISEAGE) along with the machines that make up ISERink. As shown in Fig. 3 ISEAGE supports 45 subnets with netmask /24 (15 on NIC2, NIC3, and NIC4). In addition, NIC1 is used for the White Team to manage ISERink, and NIC5 is used to dump and collect the network traffic.
NOTE: Each of the 45 competition subnets are external to the ESXi machine running ISERink. These subnets are connected to ISERink via the physical NICs (2,3,4). For each subnet, ISERink looks like a gateway (egress) router. The address of the gateway for each of the competition subnets is xxx.xxx.xxx.254.
ISERink Internet Access¶
In order for ISERink to function completely, it will need access to the Internet. There are three external IP addresses that are used by ISERink: ESXi management, Snowbank, and IScorE. All access to the Internet is through NIC0. There are two typical methods to connect ISERink to the public Internet. The first is behind a NAT/FW as shown in Fig. 4, and the second is directly to the Internet (Fig. 5). For each configuration, we will discuss the three IP addresses.
ISERink Behind NAT¶
When ISERink is connected to a private network behind a NAT, you will need three private IP addresses: one for ESXi management, one for Snowbank, and one for IScorE.
ESXi Management: The machine used to configure and manage ISERink needs to be on the same network that the ESXi management port (NIC0) is located. While you can configure your firewall or NAT to forward or tunnel the ESXi management traffic, it is generally easier to place the management PC on the same network.
Snowbank: The devices on the Competition Network can access the Internet using a limited set of protocols (DNS, HTTP, HTTPS). This is accomplished using an air-gap proxy. The external interface of this proxy needs to be connected to the Internet. This connection is made through Snowbank. On Snowbank, set the WAN interface to one the three private IP addresses and set the default gateway to your private network’s existing gateway.
IScorE: IScorE is connected to three different networks. First, it is connected to an internal private network that is not used unless you decide to install a dedicated Active Directory server to support IScorE account management. Second, it is connected to the Competition Network to enable service scanning and to allow the teams to access documents within the Competition Network. Lastly, it will be connected to your private network using one of the three IP addresses, providing access to IScorE on this network. This can also be made accessible over the Internet if you enable port forwarding or tunneling rules through your private network’s NAT for HTTP/HTTPS traffic.
Public Internet¶
When ISERink is connected directly to the public Internet, you will need up to four public IP addresses: one for Snowbank, one for IScorE if you want it to be accessible from the Internet, one for the ESXi server* if you want it to be accessible from the Internet, and the last one for Windows Active Directory Server if you decide to use a publically accessible Windows AD server for IScorE account management. If you don’t already have a publically addressable AD and are planning to build one solely for ISERink, it is advised that you do so and connect it to the private network that is directly connected to IScorE.
ESXi Management: If you choose to set the ESXi server to a public IP, then any computer that can access the Internet could be used for ESXi Server Management. [1]
Snowbank: The WAN interface requires a Public IP address if ISERink is directly connected to the Internet. Set the default gateway according to your ISP.
IScorE: IScorE is connected to three different networks. First, it is connected to an internal private network that is currently not needed, however this is a good option if you choose to install a dedicated Active Directory to support IScorE account management. If you server had a spare NIC, then you could attach VMNIC6 to the vSwitch 11 for this, or if your server has capacity to host the AD as a VM then simply connect it that VM to vSwitch 11. Second, it is connected to the Competition Network to enable scanning and to allow the teams to access documents within the Competition Network. Lastly, you can place a public IP address on one of the IScorE NIC’s and make it accessible on the Internet.
Fig. 6 shows a more detailed view of ISERink. The additional virtual machines are used to manage ISERink, provide scoring, and to support the Green, and White teams. In the diagram, red boxes indicate virtual computers, yellow boxes indicate internal virtual switches, and the green boxes indicate virtual switches that are attached to a physical NIC on the ESXi server.
[1] | Use caution when attaching an ESXi server to the public Internet. Ensure that it has a strong password, and disable or lock down, using ESXi’s firewall, management services such as SSH. |
ISERink Component Overview¶
Snowbank¶
This is the main firewall between ISEAGE and the Internet. All traffic directed to the Internet is routed through this pfSense firewall.
Snowflake¶
This is the machine that controls the configuration and management of ISEAGE running on the Board VMs. The ISEAGE configuration file is stored on this machine and distributed to the Board VMs.
Keyhole 1¶
This machine has a Squid proxy server running (http://199.100.16.100:3128) that allows access to HTTP(S) resources on the Internet. This machine also has a DNS server running on it that resolves the internal addresses of the ISEAGE machines.
Keyhole 2¶
This machine has a Squid proxy server that proxies requests from Keyhole1 to Snowbank.
Board 1¶
Runs the ISEFlow software on which the ISEAGE network traffic is routed through. This particular board is set up to handle the traffic for Blue Teams 1-15.
Board 2¶
Runs the ISEFlow software on which the ISEAGE network traffic is routed through. This particular board is set up to handle the traffic for Blue Teams 16-30.
Board 3¶
Runs the ISEFlow software on which the ISEAGE network traffic is routed through. This particular board is set up to handle the traffic for the Red and Green Teams.
Board 4¶
Runs the ISEFlow software on which the ISEAGE network traffic is routed through. This particular board is set up to handle the traffic for the White Team.
Board 5¶
Runs the ISEFlow software on which the ISEAGE network traffic is routed through. This particular board is set up to act as a TAP board. This means that all ISEAGE traffic is routed through this board and can be monitored on the TAP interface.
IScorE¶
This VM runs the IScorE web application that facilitates scoring and uptime scanning of the Blue Teams. Blue, Green, Red, and White Teams all use IScorE.
White-DHCP¶
Used to manage the White Team IP address space. Uses a pfSense firewall to provide DHCP services.
Green-KALI¶
Used to test ISERink.