It was raining this weekend so I decided to finish up putting together a subnet in my home network for testing the Raspberry Pi. This will also serve as an enclave for using PwnPi to do some penetration testing. I have decided to get back into the swing of things security wise since I am taking another certification class. I have been wanting to learn how to do penetration testing in preparation for going after a CEH (Certified Ethical Hacker) certification. This is outside of the ISC2 certification domain; where I already have a CISSP (Certified Information Systems Security Professional). I have a multifold purpose for wanting to do this:
- I want to have a separate (logically and physically) network for penetration testing using PwnPi.
- Doing penetration testing will not only help me to learn but will also let me know where the weaknesses are in my network.
- I want to have a separate network setup to support development work on the RPi.
- I want to have a network setup to test out the new OpenWRT package that runs on the RPi; therefore, I need to be able to place the RPi in a router like position easily.
In my house I have three routers and three managed switches which I can use to define separate networking elements. On one end of the house I have a Mac Mini which I use as a server for experimentation along with several other physical servers which are normally turned off until I want to do some experiments. Why? Because I want to learn something about networks and this way I can immerse myself in some learning topic without having to pay money for classes. At the other end of the house is the RPi experimenters area. I have a managed switch close to the Mac Mini and another managed switch close to the RPi experimenters area. The three managed switches are 1GB ethernet switches, so the ethernet cable between them carries a 1GB stream. I use this as the backbone for my home network. I realize that it is overkill, but it allows me to do some interesting things. For my purposes, I wanted to move one of the routers to the RPi experimenters area and set up the switches so that I could use the Mac Mini to host some virtual machines to be connected to the RPi experimenter area. Diagrammatically it looks like this (most of the information was removed to help in the discussion):
A secondary ethernet port was added to the Mac Mini by plugging in a USB to ethernet cable. By setting up the router between two ports on the RPi experimenter managed switch, I am able to use the router to move between two separate Vlans. Vlans (IEEE 802.1Q) are virtual lans and can have the property that more than one vlan traffic can be moving down the same wire but yet not have packets that interfere with each other. In my case the 1GB wire between the two managed switches have tagged vlan packets that are logically isolated from each other. This wire carries information from the VMs running on the Mac Mini through the separate Vlan to the router (LAN side). This in turn is mixed in with the information on the RPis. The router provides isolation between the Vlans and in a pinch can be disconnected from the main home network; for extra security. The RPi managed switch and router are in close proximity and I can unplug the unmanaged switch (connecting the RPis together and plug it into the managed switch on a port which is in the home network as necessary. This is not the only separated Vlan running through my house but I need the isolation in order to continue PwnPi experiments. Should be fun.
