From Knelcorpwiki

Contents 1 KNEL Corporate Network Information 1.1 Main rack layout 1.2 VLAN Details 1.2.1 VLAN Overview 1.2.2 Production VLANs 1.2.3 Wireless Development VLANs 1.2.4 Product Development VLANs 1.2.5 Virtualization VLANs 1.2.6 Malware VLANs 1.3 Production Network 1.3.1 Traffic flow 1.3.2 Switch documentation 1.3.3 Internal Production Network (physical hosts and virtual machines) 1.3.4 External production network (DMZ) 1.4 Virt machine details 1.5 Development Network 1.5.1 Traffic flow 1.5.2 Switch documentation 1.5.2.1 Wireless Gear 1.5.2.2 Wired gear 1.5.3 Internal Development Network (virtual hosts) 1.5.3.1 VOIP 1.5.3.1.1 Mikes VOIP Stuff 1.5.3.2 lay3r8 1.5.3.2.1 lay3r8 VOIP Stuff 1.5.3.2.2 lay3r8 Parallel Computing 1.5.3.2.3 lay3r8 Malware 1.5.3.2.3.1 Windows 1.5.3.2.3.2 Unprotected Windows 2003 1.5.3.2.3.3 Unprotected Windows Vista 1.5.3.2.3.4 Unprotected Windows XP 1.5.3.2.3.5 Protected Windows 2003 1.5.3.2.3.6 Protected Windows Vista 1.5.3.2.3.7 Protected Windows XP 1.5.3.2.3.8 Linux 1.5.3.2.3.9 Unprotected Centos 5 1.5.3.2.3.10 Unprotected Ubuntu 9.10 1.5.3.2.3.11 Protected Centos 5 1.5.3.2.3.12 Protected Ubuntu 9.10 1.5.3.2.3.13 Network 1.5.4 External Development Network (DMZ)

KNEL Corporate Network Information

Main rack layout

• TOP OF RACK
  • Production wireless access point from t-mobile
  • DSL modem
  • Cordless phone
• Black shelf (with 14 wireless access points, (development ps3, cisco lab 1841 router) )
• Cisco lab 4000 (top)
• Cisco lab 4000 (bottom)
• Cisco lab Catalyst 5002
• Cisco lab 3900
• Cisco lab 3920
• Cisco lab AS5200
• Power strip
• Cisco production 3548xl
• Cisco lab 2611
• Cisco lab 2500
• Cisco lab 2500
• Cisco lab 2500
• Cisco lab 2924 switch (top)
• Cisco lab 2924 switch (bottom)
• Cisco lab 3640 router
• Main Server
• BOTTOM OF RACK

Next to the rack is the printer.

VLAN Details

VLAN Overview

Classname	Description
black	production vlan
blue	non production vlan
lime	trusted
gray	semi trusted
red	non trusted

Production VLANs

Superclass	Subclass	VLAN ID	description	Associated Subnet
black	lime	2	Internal wired production devices (main-server, mythfe-livingroom, printer)	10.10.4.0/24
black	lime	3	Internal wireless users (mac filtered, hidden essid and associated blackberrys/ipod touches/laptops)	10.10.4.0/24
black	gray	4	Guest wireless users (thewybles-guest essid)	10.10.5.0/24
black	lime	5	Production private DMZ (VPN termination)	10.10.6.0/24
black	gray	6	Production public DMZ (knownelement.com etc)	10.10.7.0/24

Wireless Development VLANs

Superclass	Subclass	VLAN ID	description	Associated Subnet
blue	lime	8	OLSR Mesh network	10.12.1.0/24
blue	lime	9	Batman Mesh network	10.12.2.0/24
blue	lime	10	Mesh potato network	10.12.3.0/24

Product Development VLANs

Superclass	Subclass	VLAN ID	description	Associated Subnet
blue	lime	7	Mikes Development VOIP vlan	10.11.1.0/24
blue	lime	11	lay3r8 voip development vlan	10.11.2.0/24
blue	lime	13	parallel computing lab	10.10.8.0/24

Virtualization VLANs

Superclass	Subclass	VLAN ID	description	Associated Subnet
blue	gray	14	vmware lab	10.10.9.0/24
blue	lime	15	xen lab	10.10.10.0/24
blue	lime	16	kvm lab	10.10.11.0/24

Malware VLANs

Superclass	Subclass	VLAN ID	description	Associated Subnet
blue	red	600	windows wireless honey net	10.14.1.0/24
blue	red	601	linux wireless honey net	10.14.2.0/24
blue	red	666	unprotected windows 2003 (exchange/ad/iis)	10.15.1.0/24
blue	red	667	unprotected windows vista (outlook/ie/pdf reader)	10.15.2.0/24
blue	red	668	unprotected windows xp (outlook/ie)	10.15.3.0/24
blue	red	669	protected windows 2003 (exchange/ad/iis)	10.15.4.0/24
blue	red	670	protected windows vista (outlook/ie/pdf reader)	10.15.5.0/24
blue	red	671	protected windows xp (outlook/ie)	10.15.6.0/24
blue	red	672	protected centos 5 (zimbra/sugarcrm/trac/wordpress/php apps)	10.16.1.0/24
blue	red	673	protected ubuntu 9.10 (zimbra/sugarcrm/trac/wordpress/php apps)	10.16.2.0/24
blue	red	674	unprotected centos 5 (zimbra/sugarcrm/trac/wordpress/php apps)	10.16.3.0/24
blue	red	675	unprotected ubuntu 9.10 (zimbra/sugarcrm/trac/wordpress/php apps)	10.16.4.0/24
blue	red	676	unprotected network gear	10.17.1.0/24

Production Network

Traffic flow

Phone line

-> DSL modem (Currently this is a motorola modem provided by at&t in bridge mode. In the near future, I plan to swap the motorolla modem out and place a netgear dsl modem that I can put custom firmware on. Idea is to have a transparent bridging firewall/ids/ips.)

-> Cisco 1841 router (running pppoe stack and doing my port forwarding etc. This is my network border router. Very happy with it so far. )

• external interface is en0/1
• internal interface is en0/0.2

-> Cisco 3548 switch

• -> dmz-server (virtual machine with IP 10.10.4.3) -> (this is where most external traffic ends up as it hosts xmpp/www/sip/smtp/imap etc)
• -> dev-server -> (all external non production traffic is directed here to various virtual machines (malware stuff for example, voip bits etc)
• -> vpn-server (self explanatory)

Switch documentation

Switch port	System and interface	Description	VLAN
1	uplink to 1841 fe0/0.2	switchport trunk encapsulation dot1q switchport mode trunk	2
2	Linksys WRT54G-TM	thewybles t-mobile wireless ap	2
3	printer	printer-wired	2
4	mythtv livingroom frontend	mythtv livingroom frontend	2
5	dev server	server hosting dhcp/dns/e-mail/web/xmpp/sip and all virtual machines.	2
6	extra port for temp use	extra port for temp use	2

Internal Production Network (physical hosts and virtual machines)

ip address	hostname	description
10.10.4.1	edge-router	cisco 1841 router (very nice, fully featured router).
10.10.4.2	wireless-ap	has two high gain antennas providing amazing wifi coverage over my entire property
10.10.4.3	Main-server_documentation	dell optiplex dns/dhcp, file serving via samba, e-mail, xmpp etc
10.10.4.4	mythfe-livingroom	myth frontend in the living room hooked to the big screen. has an external dvd player attached. connected to my surround sound system. main hulu viewer also a secondary server for dns/mysql/apache
10.10.4.5	mythfe-bedroom	myth frontend in the bedroom (used for occasional hulu watching and traffic reports etc)
10.10.4.6	dev-server	development server (white box system. 4 core amd phenom, 8 gigs ram, 3tb storage. (used for uec, hadoop, boinc, security research,video/audio editing as a render node and vm host)
10.10.4.7	charles-bb	Charles BB pearl 8120 (UMA)
10.10.4.8	patti-wireless	Patti HP laptop wifi
10.10.4.9	patti-wired	Patti HP laptop wired
10.10.4.10	patti-bb	Patti BB
10.10.4.11	charles-hp-wifi	Charles HP wifi (my main system)
10.10.4.12	charles-hp-wired	Charles HP wired
10.10.4.13	printer-wifi	Photosmart 3300
10.10.4.14	printer-wired	Printer wired (this is how it's currently attached to the network, due to proximity to wired switch)
10.10.4.15	dev-laptop	Development laptop (used for misc hacking tasks)
10.10.4.16	dev-wifi	RT USB dongle (currently used for kismet, packet injection etc)
10.10.4.17	chalres-ipodtouch	Charles ipodtouch (jailbroken of course)
10.10.4.18	rufus-ipodtouch	Rufus ipodtouch
10.10.4.19	phillips-streaming	phillips wireless streaming box
10.10.4.20	rufus-wifi	Rufus sony laptop
10.10.4.21	simplenet	simplenet box (linux server that goes everywhere with me)
10.10.4.23	rufus-ps3	rufus-ps3 (gaming ps3)
10.10.4.24	ps3	ps3 (running ubuntu 9.04. used for boinc/opencl etc. not for gaming)
10.10.4.25	prod2924	cisco 2924 switch (main production switch)
10.10.4.26	patti-ipodtouch	Patti Ipod touch
10.10.4.27	prod3548xl	production switch
10.10.4.29	conference-server	bigbluebutton server
10.10.4.30	opsview-server	opsview vm
10.10.4.31	w2k8	windows 2008 production server
10.10.4.32	vpn-server	VPN termination server
10.10.4.33	voip-server	VOIP server
10.10.4.34	ocs-server	Office communications server
10.10.4.35	exchange-external	External exchange server

External production network (DMZ)

99.59.102.17 is for KNEL production traffic

port	internal destination ip address
443	10.10.4.32
22	10.10.4.3
80	10.10.4.3
25	10.10.4.3
3000 (redmine)	10.10.4.3

Virt machine details

184:root 27795 19.2 6.9 614672 532296 ? Sl 20:30 0:42 /usr/local/w2k8kvm/bin/kvm -drive file=./BigBlueButton.img,if=virtio,boot=on -cdrom ../../isos/ubnt91032.iso -boot c -name BigBlueButton -net nic,model=virtio,macaddr=52:54:00:12:34:01 -net tap -balloon virtio -m 512 -daemonize -nographic -serial telnet::30001,server,nowait -serial mon:telnet::40001,server,nowait -vnc :1

173:root 3146 6.4 7.0 647120 541528 ? Sl Mar25 196:20 /usr/local/w2k8kvm/bin/kvm -drive file=./dmzServer.img,if=virtio,boot=on -cdrom ../../isos/ubuntu-9.10-server-amd64.iso -boot c -name DmzServer -net nic,model=virtio,macaddr=52:54:00:12:34:02 -net tap -balloon virtio -m 512 -daemonize -nographic -serial telnet::30002,server,nowait -serial mon:telnet::40002,server,nowait -vnc :2

183:root 27720 19.4 6.9 728760 532688 ? Sl 20:30 0:48 /usr/local/w2k8kvm/bin/kvm -drive file=./Opsview.img,if=virtio,boot=on -cdrom ../../isos/ubnt80432.iso -boot c -name Opsview -net nic,model=virtio,macaddr=52:54:00:12:34:03 -net tap -balloon virtio -m 512 -daemonize -nographic -serial telnet::30003,server,nowait -serial mon:telnet::40003,server,nowait -vnc :3

185:root 27892 99.4 53.6 4311988 4117232 ? Rl 20:31 2:37 /usr/local/w2k8kvm/bin/kvm -drive file=./w2k8.img,boot=on -cdrom winvirt.iso -boot c -name Windows2008Production -net nic,macaddr=52:54:00:12:34:05 -net tap -balloon virtio -smp 4 -m 4096 -daemonize -serial mon:telnet::40005,server,nowait -vnc :5

Development Network

Traffic flow

Switch documentation

All development gear (wired and wireless) is connected to the 48 port cisco switch.

There are two 6 node wireless meshes and two honey net nodes (one will be connected to the windows malware network and one will be connected to the linux malware network) for a total of 14 access points.

Key:

• m1 = mesh1
• m2 = mesh2

n(x) = node(x)

The physical access points are labeled.

Wireless Gear

Switch port	Mesh / node	Description	Power supply details	WAN MAC	VLAN
7	m1,n1	tba	tba	tba	8
8	m1,n2	tba	tba	tba	8
9	m1,n3	tba	tba	tba	8
10	m1,n4	tba	tba	tba	8
11	m1,n5	tba	tba	00 16 01 d6 c8 e4	8
12	m1,n6	tba	tba	tba	8
13	m1,capture	tba	tba	tba	8
14	m2,n1	tba	tba	tba	9
15	m2,n2	tba	tba	tba	9
16	m2,n3	tba	tba	tba	9
17	m2,n4	tba	tba	tba	9
18	m2,n5	tba	tba	tba	9
19	m2,n6	tba	tba	tba	9
20	m2,capture	tba	tba	tba
21	Linux wireless honeypot	tba	tba	tba	601
22	Linux wireless honeypot, capture	tba	tba	tba	601
23	Windows wireless honeypot	tba	tba	tba	600
24	Windows wireless honeypot, capture	tba	tba	tba	600
25	Windows malware port	tba	tba	tba	tba
26	Windows malware port, capture	tba	tba	tba	tba
27	Linux malware port	tba	tba	tba	tba
28	Linux malware port, capture	tba	tba	tba	tba

Wired gear

-

Switch port	System and interface	Description	VLAN
1	main server - eth2	(this is the physical ethernet port for windows malware virtual machines)
2	span port	span port for windows malware
3	main server - eth1	this is the physical ethernet port for linux malware virtual machines
4	span port	span port for linux malware
21	ps3	ps3 port

Internal Development Network (virtual hosts)

VOIP

Mikes VOIP Stuff

ip address	hostname	description	vlan
10.10.4.150	voip-host	centos vm	7
10.10.4.151	voip-fs-dev	freeswitch development openvz slice	7
10.10.4.152	voip-fs-qa	(openvz slice)	7
10.10.4.153	voip-fs-lt	(openvz slice)	7
10.10.4.154	voip-fs-stg	(openvz slice)	7
10.10.4.155	voip-fs-prod	(openvz slice)	7

lay3r8

lay3r8 VOIP Stuff

ip address	hostname	description	vlan
10.10.4.160	voip-host.lay3r8	(ubuntu vm)	11
10.10.4.161	voip-fs-dev.lay3r8	(openvz slice)	11
10.10.4.162	voip-fs-qa.lay3r8	(openvz slice)	11
10.10.4.163	voip-fs-lt.lay3r8	(openvz slice)	11
10.10.4.164	voip-fs-stg.lay3r8	(openvz slice)	11
10.10.4.165	voip-fs-prod.lay3r8	(openvz slice)	11

lay3r8 Parallel Computing

ip address	hostname	description	vlan

lay3r8 Malware

Windows

Unprotected Windows 2003

ip address	hostname	description	vlan	links
10.15.1.1	w2k3-up-router	router system for unprotected w2k3 net
10.15.1.2	w2k3-ad	active directory machine

Unprotected Windows Vista

ip address	hostname	description	vlan	links

Unprotected Windows XP

ip address	hostname	description	vlan	links

Protected Windows 2003

ip address	hostname	description	vlan	links

Protected Windows Vista

ip address	hostname	description	vlan	links

Protected Windows XP

ip address	hostname	description	vlan	links

Linux

Unprotected Centos 5

ip address	hostname	description	vlan	links

Unprotected Ubuntu 9.10

ip address	hostname	description	vlan	links

Protected Centos 5

ip address	hostname	description	vlan	links

Protected Ubuntu 9.10

ip address	hostname	description	vlan	links

Network

Unprotected network gear. Got cisco exploits? Try em here.

ip address	hostname	description	vlan	links
10.17.1.1	edge-router	cisco 2911 edge router	676
10.17.1.2	core-switch	3com switch	676
10.17.1.3	prod-server (vm)	gotta have a host on the network	676

External Development Network (DMZ)

99.59.102.19 is for mikes voip development traffic

Protocol	Ports
udp	all ports (do not filter anything)
tcp	all ports (do not filter anything)

99.59.102.20 is for lay3r8 development

99.59.102.21 is for windows malware

99.59.102.23 is for linux malware