Solved

Simulating a private network (with a public interface) using VMware

Posted on 2008-06-13
6
1,375 Views
Last Modified: 2010-04-21
Hi Experts.
I want to set-up two virtual machines on a single host machine to simulate a private network with a public interface.
I've got two machines on my lan behind a adsl/router/switch.  One of these machines is headless (I use VNC) and it is the headless machine which is to host the two VM's.
I want one of the VM's to act as the perimeter of the private network and it needs to have a public interface (where public doesn't actually mean public, just public as far as the VM private network is concerned) and a private interface to serve as the gateway for the other VM.
I want to install Snort on the gateway VM and I'm thinking of running it on openSUSE.
The idea is that from my main PC, I want to be able to perform attacks against the public interface of the VM network hosted on the headless PC - as if I was an attacker on the open internet.  I want to be able to VNC into the headless PC and log into the private VM and see how those attacks look from the "inside".  I'm going to use this set-up to host all kinds of services and get some experience of defending against serious attacks.

With me so far?  I'm not sure I am, so well done you! :)

So my question is really in two parts:
How do I set-up VMWare Workstation networking for the Gateway VM to have both a public and a private network such that Snort will work on it and it will act as the gateway for the private VM?
Do I need to do anything to my LAN of two PC's to make this work?

I thank you in advance for your help.
0
Comment
Question by:jahboite
  • 4
6 Comments
 
LVL 18

Accepted Solution

by:
larstr earned 275 total points
ID: 21787799
What you suggest is possible. You can setup your gateway VM with two virtual nics. One with "host only" networking and one with "bridged" netorking. If you now also put your other VMs on the host only network and set their default gateway to the gateway pc, you should be able to achieve what you want.

As long as you don't need your two LAN PCs also behind this virtual gateway this is all you need to do to get it working.

Lars
0
 
LVL 12

Author Comment

by:jahboite
ID: 21788019
Thanks larstr, that sounds quite easy!
0
 
LVL 11

Assisted Solution

by:jfields71
jfields71 earned 225 total points
ID: 21793804
You can indeed do what you are seeking to do.  There is even a virtual appliance you can download that may save you some time: http://www.vmware.com/appliances/directory/185.  
JF
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 12

Author Comment

by:jahboite
ID: 21835993
Quick update,  I'm getting closer to getting there.  I've installed openSUSE 11 (which looks great!) and have managed to get two interfaces set-up on it.  I tried setting-up the VM with both a Bridged and a Host only interface from the outset, but this turned out to be a horrible idea because for some unknown reason, the suse installation configured the host-only interface with an IP address, but wouldn't assign one to the bridged and I got zero connectivity to the outside world with either.  Setting-up the VM with just the bridged network and later adding the host-only was much less problematic.  I haven't made the other (internal) VM yet nor have I looked in any detail if I need to do anything to Suse to act as a gateway (I see there are packages for this kind of thing, but I intend to try and do nothing), but I'm getting there...

Thanks for the suggestion JF.  This may be useful if the Snort install proves too difficult (which hopefully it won't).  I think I'm a little too paranoid to use the virtual appliance on my home network, but if the worst comes to the worst...
0
 
LVL 12

Author Comment

by:jahboite
ID: 22049987
Okay then.  This was fairly easy in the end, but it was a struggle getting there for various reasons.

Here's some details for those coming along after:
  • Created a new virtual network using VMware Virtual Network Editor (vmnetcfg.exe) for the private network.  Did this on the Host Virtual Network Mapping tab by assigning a subnet to VMnet2 (Not bridged).  Did not add a Host Virtual Adapter, nor configure DHCP for the network.
  • Installed openSuSE as a VMware guest OS and assigned to it a Bridged Network Interface (for the outside world) and a Custom (specific virtual network) Interface for which I selected VMnet2.
  • Already had a Windows VM for the private network side so I just changed it's adapter to VMnet2 and, as I wasn't intending to have the suse box do dhcp straight away, I assigned a static IP address.
  • Told SusE Network Manager that I'd manage network stuff with ifup - Network Manager seems to just want to do its own thing...
  • Configured SuSE network adapters with static IP addresses using by creating scripts for eth0 and eth1 in /etc/sysconfig/network (ifcfg-eth0 and ifcfg-eth1)
  • Created a route to the internet through my real gateway/router via the bridged eth0 interface and to the private network on VMnet2 via eth1 by creating scripts in /etc/sysconfig/network (ifroute-eth0 and ifroute-eth1)
  • Configured the Windows VM network properties Gateway and DNS to point to the eth1 adapter address on the SuSE box
  • Installed BIND on the SuSE box - I hit a bug with the Yast DNS Server package which I wanted to use to set-up BIND, so for now, that's as far as I've got with BIND - I tried editing named.conf by hand, but was getting no response for DNS requests from the windows VM so I've got some more reading to do there (or wait until the bug is fixed)
Here's where I've temporarily diverged from the plan:
I haven't installed Snort yet and have instead used the SuSE firewall to set up masquerading (NAT)  and IP forwarding (can't exactly remember if I had to do something other than just turn on masquerading in order for forwarding to work).  This is just a temporary thing.

As it stands at the moment, I can:
  • Not access the windows vm from my real network.  Good.
  • Not access services on the SuSE vm from my real network, but it's sitting there on the network.  Good.
  • Talk to the outside world (and my real network) from the SuSE vm. Good.
  • Talk to the windows vm from the SuSE vm and vice versa.  Good.
  • Talk to the outside world (using IP addresses only) from the windows vm, via the SuSE vm.  Partly Good.
So I've only got the following to do:
  • Get BIND servicing client DNS requests.
  • Install Snort and make sure that it doesn't stop the SuSE vm acting as the gateway for the private network.
Anyone got any bright ideas for the last two?
0
 
LVL 12

Author Closing Comment

by:jahboite
ID: 31467126
Thank you for your input.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

When we have a dead host and we lose all connections to the ESXi, and we need to find a way to move all VMs from that dead ESXi host.
Last article we focus in how to VMware: How to create and use VMs TAGs – Part 1 so before follow this article and perform the next tasks, you should read the first article how to create the TAG before using them in Veeam Backup Jobs.
Teach the user how to install and configure the vCenter Orchestrator virtual appliance Open vSphere Web Client: Deploy vCenter Orchestrator virtual appliance OVA file: Verify vCenter Orchestrator virtual appliance boots successfully: Connect to the …
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now