Cyber Lab

This article will detail how I set up the CU Cyber lab and got it ready to run CCDC training environments, described in this article.

As the CU Cyber president, I have duty over the cyber lab, a rack of servers in Clemson’s Watt Center. The lab hasn’t operated for two years after an NTP server failure. The lab had been crazy complicated, with all the machines running VMs with NTP, DNS, and Kerberos services that were depended on by the host machines. This means that a problem with the VM service or one VM in particular would affect the host machine, which is what happened in the lab.

My primary goal was to keep the lab simple and stupid to avoid these problems. I’ve been working over the past 8 months to get it operational again. Per the previous president’s recommendation, I worked with him to nuke the machines and firewall and switch and reimage with CentOS. This didn’t last for long, as he soon left University, and I decided to reimage with Proxmox (if you haven’t heard of Proxmox, it’s fantastic, and I sacrificed my first born to it).

After getting the machines operational, I was locked in a three-month-long combat with the Palo firewall and Clemson’s NOC. Various Watt Center network upgrades had left the lab’s VLAN out of date and unable to access the internet, but some back and forth with the NOCsters fixed this.

With the VLANs in order, I was able to get remote access and stop bothering the Watt employees (thank you, Watt employees, we love you ❤️ especially you, Mark). I then got the four Proxmox machines hooked together in a cluster and set up a WireGuard VPN for proper remote access (previously, I connected the lab to my VPN and accessed it through there). I then started a second war with the Palo to get port forwarding working, which was swiftly won.

Now that the lab was 90% operational, I gave access to the CCDC team captains so they could work on creating the tryout machines (elaborated on in the sister article). I arm-wrestled the D-Link switch to create a VLAN for all the VMs. A separate ethernet cable running between the machines and the switch allowed me to create a VLAN for all the VMs to communicate across machines.

Now, our beautiful lab is complete and operational. I present you its lovely, logical, well-thought-through design and not-at-all reactive design.

You’ll notice how all the machines are named after APTs; how clever Adrian! I forgot the IP of the KVM and can’t access it anymore, as it kind of does it’s own thing and ignores DHCP. Also of note is that the boxes are connected via ultra-fast, latest-gen, nothing-better-around 10G cables on the 10.1.1 side for faster resource sharing.

Below is a bullet point summary of the details (this is for me when I forget in two months)

• Palo Firewall
  • 10.1.1.1
  • DHCP server
• Switch
  • 10.1.1.2
  • VLAN for 10.3.0.0/16
• equation-group
  • Specs
    • 8 cores @ 2.10 GHz
    • 32 Gb RAM
    • 3.7 Tb HDD
  • 10.1.1.11
  • 10.3.0.1
  • Main machine
  • WG host as 10.2.0.1
  • NTP share @ /bac
• lazarus
  • Specs
    • 16 cores
    • 31.8 Gb RAM
    • 223 Gb HDD
  • 10.1.1.12
  • 10.3.0.2
  • WG backup host
• zirconium
  • Specs
    • 2x 14 cores @ 2.20GHz
    • 186 Gb RAM
    • 112 Gb HDD
  • 10.1.1.13
  • 10.3.0.3
• fancy-bear
  • Specs
    • 2x 14 cores @ 2.20GHz
    • 192 Gb RAM
    • 112 Gb HDD
  • 10.1.1.14
  • 10.3.0.4