From: Peter Manis (manis@digital39.com)
Date: Wed Aug 15 2007 - 10:18:49 EDT
As I have mentioned, I am buying some 2950s and I have gotten a few
recommendations from people for a CCNA lab, but as far as the PIX and
additional routers what should I work towards getting to have a good
lab? Nothing immediate, but the end result.
- PM
On 8/15/07, Pete Herzog <lists@isecom.org> wrote:
> Hi,
>
> Over the last 6 years we have studied the differences of tests against
> various platforms of virtual and real systems. This has led us to making
> the best possible test network we can for the OPST and OPSA certification
> exams. What we have found is that there is a large difference between them
> on the network packet level but almost none on the application level
> (although various application tests do rely on the encapsulating protocol
> so YMMV).
>
> What's most important is the the tester's machine is NOT virtual. Because
> the low-level problems at packet level do multiply during testing multiple
> systems. However for a complete lab set up, make sure your virtual systems
> are as close to the OS as possible- kernel level preferably, or else use
> the real thing directly on metal. If you will only be doing application
> tests, then it probably matters very little and go with your higher level
> virtual machines.
>
> One final note, as Jerry mentions, make sure your network devices are real!
> Don't try to virtualize networking because it is very complicated and
> will look very fake. We tested virtual networks and virtual networking but
> such systems could not handle team traffic (low-to-medium traffic) without
> producing errors. If you want to virtualize port forwards and simple hops,
> you can et away with that between low-level virtualized machines but don't
> try to duplicate anything else or else your error rate will compound and
> make your analysis practically worthless.
>
> Sincerely,
> -pete.
>
>
> Shenk, Jerry A wrote:
> > I've found a few tests that worked against virtual machines but did not
> > work against real machines. I agree, in most cases, there really is no
> > difference.
> >
> > I also have some routers in my lab. That way, I can set up egress
> > filtering between the servers and the attackers in the lab. That will
> > help you get some realism about some things, particularly local exploits
> > of machines inside the network (like an Exchange client attack). I
> > think that also increases your credibility when talking with
> > clients...for example, "In the lab, we set up egress filtering...blah,
> > blah, blah...and with the filtering enabled, the remote exploit of the
> > Exchange client worked in that it crashed the client but it made it much
> > more difficult to get to a command-prompt on that box." That's not
> > really part of the pen-test itself but the real goal of the pen-test is
> > to make the network more secure and it definitely goes toward explaining
> > to the client how to make their network more secure.
> >
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:02 EDT