Skip to content

01 objective

1. Objective

The primary objective of this project is to build a fully isolated, high-fidelity virtual environment that closely simulates real-world corporate network architectures. This lab serves as a safe sandbox for developing and practicing both offensive and defensive cybersecurity skills, including:

  • Offensive Security: Practicing penetration testing, exploitation, and post-exploitation techniques.

  • Defensive Security: Implementing monitoring solutions (SIEM), firewalling with pfSense, and performing log analysis.

  • Network Engineering: Gaining hands-on experience with VLAN segmentation, routing, and traffic flow management.

In summary, the goal of this project is to create a realistic enterprise-like virtual environment for learning ethical hacking (Offensive Security) and cyber defense (Defensive Security) within a completely isolated sandbox that allows free experimentation with all possible scenarios.

2. Network Architecture Philosophy

The lab environment is designed using a Zoned Architecture model to ensure granular control over network traffic and security boundaries:

  • External Zone: Represents the untrusted public network where attackers reside (e.g., Kali Linux, CommandoVM).

  • DMZ (Demilitarized Zone): Hosts public-facing services such as web and mail servers that require tightly controlled and monitored access.

  • Internal Zone: The trusted core network containing sensitive assets such as Active Directory, databases, and client machines.

  • SIEM Layer (The Observer): A centralized visibility and monitoring layer (e.g., Wazuh/ELK) that collects and analyzes events from all zones.

Design philosophy: The network relies on a zone-based model to strictly control data flow. It separates attackers, public services, and protected internal assets, while adding a SIEM layer to monitor and correlate all activities across the environment.

3. Key Exceptions & Customizations

To optimize the lab specifically for learning and experimentation, several intentional customizations were applied:

  • Hybrid Access: Unlike strict production environments, controlled direct communication between the Internal and External zones is permitted to enable flexible testing and complex attack scenarios.

  • NAT Gateway: Instead of using a Bridged Adapter, a NAT Network is employed to provide:

  • Isolation: Complete separation of the lab from the host machine and home network.

  • Internet Access: Secure access for system updates and tool downloads.

These adjustments ensure maximum safety while preserving the flexibility required for realistic offensive and defensive security training.

4. Tech Stack

  • Virtualization: Oracle VirtualBox

  • Vulnerable Systems :

  • Vulnerable bWAPP

  • Vulnerable Metasploitable3 Win

  • Vulnerable Metasploitable3 Linux

  • Operating Systems:

  • Windows Server (Domain Controller)

  • Windows 10/11 (Client Machines)

  • Kali Linux (Attacker)

  • Ubuntu (SIEM Server)

  • Networking: pfSense Firewall

  • Monitoring: SIEM solution (ELK Stack)