Platform Virtualization

Most of the following How-tos use one of the following tools:


 * GNS3
 * VirtualBox
 * KVM

=Firewalls= The following Firewalls can be virtualized:

Cisco ASA
Files Required: asa842-initrd.gz asa842-vmlinuz Cisco asdm-647.bin jdk-7u51-windows-i586 3CDaemon TFTP Server

Edit -> Preferences -> Qemu and click the ASA tab RAM=1024

Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32 Kernel cmd line: -append ide_generic.probe_mask=0×01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

To run two ASAs, change the Qemu options on the second firewall as below Qemu Options: -vnc :2 none -vga none -m 1024 -icount auto -hdachs 980,16,32

activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5 activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6

Add a loopback adapter

Run Commands: config t int gi 0 ip address 10.10.10.3 255.255.255.0 nameif management no shut

copy tftp://10.10.10.2/asdm-711.bin flash

config t asdm image flash:asdm-711.bin http server enable http 10.10.10.0 255.255.255.0 management username aman password cisco privilege 15 wr mem

ASDM Java Error: Add source network in Exceptions in Java Console

Cisco PIX

 * Install GNS3.
 * Download PIX image from here.
 * Navigate in GNS3 to Edit > Prefrences > Qemu > PIX.
 * Enter the information for the Key and Serial number
 * Point the binary file to the pix image.
 * Set Identifier Name as PIX.
 * Now drag and drop Cisco PIX Firewall into canvas and configure it.

Juniper SRX
You can virtualize SRX 12.1X46-D10.2 firewall as follows:

Using VMPlayer

 * Download Firefly VMware Appliance from Juniper.net
 * Install VMware Player.
 * Import the VM into VMware player.
 * Allocate 2 CPUs.
 * Set the RAM as at least 1024 MB.
 * Check the Network interfaces and config.
 * Start the VM and proceed with quick start wizard.

Using VirtualBox
source

"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" clonehd -format VDI junos-vsrx-12.1X46-D25.7-domestic-disk1.vmdk junos-vsrx-12.1X46-D25.7-domestic-disk1.vdi General: Name: base-vSRX Type: Linux Version: Other Linux (32bit)
 * Download Firefly OVA file from Juniper.net
 * Extract contents of OVA file using 7-zip
 * Convert the vmdk virtual drive to vdi:
 * Create VM in VirtualBox:

System: Memory: 1024MB CPU: 2 (very important as 1 CPU will not load Gig interfaces) Enable PAE/NX Enable I/O APIC Enable VT-x/AMD-v Enable Nested Paging

Hard Drive: IDE Primary master Use an existing virtual hard Drive file (Choose junos-vsrx-12.1X46-D25.7-domestic-disk1.vdi)

Network: (You can choose if you want each interface to be NAT, BIND, LocalHost, etc.) Enable all 4 adapters and set the ‘Adapter Type’ to ‘Paravirtualized Network (virt-io net)’

Audio: Off

Serial Ports: Enable Serial Port 1 Port Number: COM1 Port Mode: Disconnected


 * Boot up the VM. The default login is ‘root’ with no password.

Using GNS3 and Qemu to Cluster
Source: gns3.net & brezular.com

Versions: GNS3: 1.2.3 Qemu: 2.1.0 i386w Firefly: 12.1X46-D10.2

Select Binary image as the VMDK file RAM: 1024 NIC: 10 NIC Type: e1000 Qemu options: -smp 2 -device vmxnet3 Use KVM if supported
 * Download Firefly OVA file from Juniper.net
 * Extract contents of OVA file using 7-zip.
 * In GNS3 go to Preferences > Qemu and set path to qemu to the latest version.
 * Use qemu-system-x86_64 on 64-bit System or qemu-system-x86 on 32-bit System.
 * Make a new JunOS guest:
 * Save the Qemu VM.
 * Drag and drop the same image in GNS3 Canvas 2 times to generate two vSRX devices with different MAC addresses.
 * Add Switches as per requirement.
 * Connect the cables as per Juniper Guide lines.
 * Continue with HA config as per Rtoodtoo.net

Checkpoint
This section will help setup a fully operational Checkpoint firewall in a Virtual machine for 15 days for you to evaluate.


 * Install VirtualBox.
 * Download Check_Point_R75.Splat.iso from Checkpoint.com
 * Create a new VM.
 * Boot the VM using the above ISO file.
 * Follow the on screen installation instructions.
 * Install Security Gateway, Security Management, SmartEvent and SmartReporter Suite, Management Portal products.
 * Reboot the VM and access the WebUI from the IP address provided during installation.
 * Download the Checkpoint management software and install it in windows host.

Endian Firewall
Endian Firewall Community Edition is an open source firewall which can be installed on any PC or VM. It is one of the best firewalls' for freshers/newbies to start learning Security/Firewall basic and understand the concepts like Zone, VPN, DHCP, Webfiltering, etc.


 * 1) Download the community edition of Endian Firewall from Endian.com
 * 2) Install VirtualBox and create a new VM.
 * 3) Mount the ISO file as a CDROM in VM.
 * 4) Boot the VM from this ISO.
 * 5) Install the EFW with the installation wizard.

= IPS = Two common IPS systems are virtualized as follows:

Cisco IPS
Cisco IPS 4235 ver 6.0:


 * Download the IPS v6.0 Disk image (disk1 and disk2) and extract them.
 * Download JRE6update7.
 * In GNS3, go to Edit> Preferences> Qemu> IDS and configure the following:

Browse the Disk 1 & Disk 2 locations. RAM : 1024 MB NIC Model: e1000 Qemu Options : -smbios type=1,product=IDS-4235 Press Save then OK


 * Start the VM. Now use the IDS with the following credentials:

username: cisco password: ciscoips4215


 * To manage through IME download Cisco IPS Manager Express (IME) 7.1.1

Snort
Please refer the dedicated Snort page.

= Misc =

Other platforms that can be virtualized are as follows:

Slax Router

 * Download the latest ISO file from sourceforge.net
 * Create a VM with 128 ~ 256MB RAM.
 * Add more Virtual network interfaces.
 * Boot the VM with the ISO file.
 * Login into the console using root:toor credentials.
 * Now enter command "slaxrouter-install" to begin HDD install.
 * Select the partition.
 * Define Swap memory if required.


 * Preparing Webmin
 * Edit /etc/webmin/miniserv.conf to disable ssl or to change port.
 * Restart webmin service.


 * Interface config

vim /etc/rc.d/rc.local
 * Run the following command to edit rc.local file

if [ `ls /sys/class/net | grep eth0` = "eth0" ]; then ifconfig eth0 10.107.88.69 netmask 255.255.255.224 route add default gw 10.107.88.65 ifconfig eth1 1.1.1.1 netmask 255.255.255.0 ifconfig eth2 4.4.4.1 netmask 255.255.255.0 fi
 * Paste the following lines there using VIM (v to select, y to copy, p to paste)
 * 1) if eth0 interface exist

Running OSPF in Slax using Zebra
Source: openmaniak.com, techrepublic.com

Slax v0.4 was used for below steps:

Log into Quagga directory root@10:~# cd /etc/quagga/ root@10:/etc/quagga# ls bgpd.conf.sample bgpd.conf.sample2  ospf6d.conf.sample  ospfd.conf.sample  ripd.conf.sample  ripngd.conf.sample  vtysh.conf.sample  zebra.conf.sample

Copy the sample files to create new config files for zebra & ospfd Zebra.conf is used to declare interfaces ospfd.conf is used for OSPF configuration

root@10:/etc/quagga# cp zebra.conf.sample zebra.conf root@10:/etc/quagga# cp ospfd.conf.sample ospfd.conf

Edit the zebra.conf file as below:

! -*- zebra -*- ! ! zebra sample configuration file ! ! $Id: zebra.conf.sample,v 1.1 2002/12/13 20:15:30 paul Exp $ ! hostname Router password zebra enable password zebra ! ! Interface's description. ! !interface lo ! description test of desc. ! interface eth1 ip address 2.2.2.1/24 ! multicast ! interface eth2 ip address 3.3.3.1/24 ! ! Static default route sample. ! !ip route 0.0.0.0/0 203.181.89.241 !

log file /var/log/zebra.log

Edit the ospfd.conf file as below:

! -*- ospf -*- ! ! OSPFd sample configuration file ! ! hostname ospfd password zebra enable password zebra ! router ospf network 2.2.2.0/24 area 0 network 3.3.3.0/24 area 0 ! log stdout

Now start the zebra process using below script: root@10:/etc/quagga# /etc/rc.d/rc.zebra start Starting Zebra daemon: /usr/sbin/zebra -d Starting OSPF daemon with OSPF-API enabled: /usr/sbin/ospfd -a -d

If you are not able to telnet to the Routers, check the below log file for the dir related error root@10:/etc/quagga# cat /var/log/zebra.log 2017/05/17 10:54:42 ZEBRA: Can't create pid lock file /var/run/quagga/zebra.pid (No such file or directory), exiting

If you see the same error, create the quagga directory: root@10:/etc/quagga# mkdir /var/run/quagga

Now restart the Zebra process root@10:/etc/quagga# /etc/rc.d/rc.zebra restart Stopping quagga daemons Starting Zebra daemon: /usr/sbin/zebra -d Starting OSPF daemon with OSPF-API enabled: /usr/sbin/ospfd -a -d

Now you should be able to Zebra process running: root@10:/etc/quagga# cat /var/log/zebra.log 2017/05/17 10:54:42 ZEBRA: Can't create pid lock file /var/run/quagga/zebra.pid (No such file or directory), exiting 2017/05/17 10:55:17 ZEBRA: Zebra 0.99.11 starting: vty@2601

Now you should be able to log into both the Zebra and OSPF routers: root@10:/etc/quagga# telnet localhost 2601 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.

Hello, this is Quagga (version 0.99.11). Copyright 1996-2005 Kunihiro Ishiguro, et al.

User Access Verification

Password: Router> Router> Router> exit Connection closed by foreign host. root@10:/etc/quagga# root@10:/etc/quagga# root@10:/etc/quagga# telnet localhost 2604 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.

Hello, this is Quagga (version 0.99.11). Copyright 1996-2005 Kunihiro Ishiguro, et al.

User Access Verification

Password: ospfd> ospfd> ospfd> exit Connection closed by foreign host. root@10:/etc/quagga#

To autostart Zebra at startup, edit below file and paste: vim /etc/rc.d/rc.local

/etc/rc.d/rc.zebra start
 * 1) Start Zebra

Juniper NSM
Source: Packetfail

To Install Juniper NSM 2012.2R9 in Virtualbox, you need following:

1. Create a VM in Virtualbox with at least 2.5GB free RAM & 25GB HDD space.

2. Download the following files:

CentOS-6.6-i386-minimal.iso nsm2012.2R9_servers_linux_x86.sh nsm2012.2R9-systemupdate-linux.zip

3. Install CentOS in the VM by mounting above ISO file. On the customize selection page, ensure everything but ‘base’ is unchecked. Reboot after installation: sudo reboot

4. Disable iptables /etc/init.d/iptables stop chkconfig –level 12345 iptables off /etc/init.d/ip6tables.stop chkconfig –level 12345 ip6tables off

5. Update the system to appear to be RHEL5 vi /etc/redhat-release Delete everything & paste: "Redhat Enterprise Linux Server release 5″

6. Disable selinux: vi /etc/selinux/config Set SELINUX=permissive

7. Move the two NSM related files to VM. Unzip the systemupdate file and remove the archive for ES5, and extract the archive for ES6: yum install gnupg rsync xorg-x11-font-utils vim http sh /var/tmp/es5/rhes6.sh

8. Unzip the NSM installer and there will be a very large .sh script sh /var/tmp/nsm2012.2R9_servers_linux_x86.sh -niAPPLIANCE=n

9. Note all the password. Set the super user's password also as it will be required for Client login. In case the password is not known/set, Stop all services and run the following command to set the password as "netscreen": /usr/netscreen/GuiSvr/utils/.xdbUpdate.sh /usr/netscreen/GuiSvr/var/xdb admin 1 0 /__/password "glee/aW9bOYEewkD/6Ri8sHh2mU="

10. Open a web browser to https://x.x.x.x:8443 and download the client.

mount /dev/cdrom /mnt/cdrom vi /etc/sysconfig/network-scripts/ifcfg-eth0
 * Note:
 * Mount ISO Files:
 * Enable network interfaces on bootup:

Juniper Space
Source: rtoodtoo.net


 * Download the latest ova image(Space-14.1R2.9) from juniper.net
 * Download the Security Director(14.1R2.6) release compatible with the platform release from juniper.net
 * Deploy the Space Platform OVA file as usual like any other VM.
 * 8GB RAM is required for the VM.
 * Power on the VM and get into the console. Credentials are admin:abc123. Change the password.
 * Then accept the default installation type Space Platform.
 * Configure the network settings.
 * Now set the GUI IP address and NTP server.
 * Then type the display name. This is used as the fabric node name.
 * Set maintenance password which is used for upgrade and other maintenance operations. It is different than admin password.
 * Once applied the changes, daemons will be restarted and it will take some time to complete.
 * By choosing option 7 and providing admin password, will drop to the Linux shell.
 * Now SSH connection to the Box will be successful.
 * Web user is super and initial default password is juniper123.

Deploying Security DIrector
Now to deploy the security director, Go to Adminitration->Applications->Add Application Then select “Upload via HTTP” and upload the security director image you downloaded. A job will be created and application name (Security Director) will appear in the list after a while. Once it appears, click install Once it finishes,there will be 3 new applications. From the left drop down list, by selecting Security Director you can switch to SD’s screen.

Juniper UAC
Please follow the following steps:


 * 1) Download DTE or SPE edition for KVM or VMWare from juniper.net
 * 2) Unzip the Zip file.
 * 3) Install VMPlayer.
 * 4) Select the Open VM option.
 * 5) Browser the unzipped folder location & select the OVF file.
 * 6) Start the VM.
 * 7) Follow on screen instruction to start the UAC.
 * 8) Open https://x.x.x.x/admin to open the WebUI of the UAC.

Note: DTE: Demonstration and Training Edition SPE: Service Provider Edition

WAN Emulator
Tutorial: openmaniak.com
 * Download WANem ISO file from Sourceforge.net.
 * Create a VM with around 640MB RAM.
 * Add 1 or 2 Network Interfaces depending upon your scenario.
 * Mount the ISO in VM.

route add 192.168.1.1 mask 255.255.255.255 192.168.1.3 route add 192.168.1.2 mask 255.255.255.255 192.168.1.3
 * Scenario 1 - Client and Server in Single Subnet
 * Add a single Network Interface to VM.
 * Boot the machine.
 * Press n for the DHCP prompt.
 * Select eth0 Interface and assign it the IP & Gateway addresses.
 * Run this command on Client
 * Run this command on Client


 * Scenario 2 - Client and Server are in different Subnets

route add 10.1.1.2 mask 255.255.255.255 192.168.1.3 nat add eth0 nat show
 * Run this command on Client
 * In WANem console enable NAT on the desired network interface
 * Confirm NAT by this command

http://192.168.1.3/WANem
 * Managing WANem:
 * Access the VM WebUI at

Basic mode   - Simple WAN Emulator with Bandwidth and Delay features Advanced mode - Contains more complicated features like Loss, Jitter, Duplication, Reordering, Corruption, etc
 * There are two modes


 * Jitter – Real networks show variation in delay.
 * If delay is 100ms and Jitter is set to 10 ms, the delay applied is 100 + 10 ms or 100 – 10 ms in random.
 * Correlation – It is a measure of the dependency of the delay applied on the next packet to that on the previous packet.
 * If a correlation value of 25 % with delay and jitter to be 100ms and 10 ms respectively, the delay applied to the next packet is 100 (+/-) 10 ms depending 25% to that applied to the previous packet.

Persistence in WANem
Source: superuser.com Source: ogris.de

Hard Disk: 4GB RAM: 384MB CPU: 1 3 interfaces: 1 for mgmt(optional), 2 for traffic
 * Download WANem LiveCD ISO (3.0 beta 2
 * Create a VM with following spec:

WANemControl@PERC> exit2shell 0wn
 * Boot the VM
 * Open the terminal, you will get the below prompt:
 * Type the command to get the root shell access:
 * Run the command:
 * Click "Accept and Continue" twice to the warnings.
 * Leave "auto" selected for partitioning, click "OK"
 * Click "Yes" when prompted to start automatic partitioning (1GB of swap, 3GB for the root filesystem)
 * Click "Yes" when prompted to use all of /dev/sda
 * You will get "Automatic partitioning failed", but it actually succeeds (This is because it gets auto-mounted)
 * Leave /dev/sda2 selected and click "OK" when prompted to select a partition

0wn will now copy files to the disk (this will take a while). startx
 * Click "OK" when prompted to install Grub
 * Leave "mbr" selected and click "OK", then "Yes" to confirm
 * Click "Yes" to reboot the machine.
 * The VM will reboot, then you will see Grub, and boot process
 * Now you will get a WANemControl@PERC> prompt but no GUI or desktop
 * Or nothing will appear except for the cursor.
 * Whether you see prompt or not, type the follwoing command to get persistence VM

Persistence of WANem Config

 * Perform the WANem config from WebUI
 * Save the WANem Config file as "netenstate.txt"

vim /etc/rc.local
 * Edit rc.local file:

/etc/startup.sh
 * Add the following line:

vim /etc/startup.sh
 * Now edit this file

startx
 * Copy & paste the commands from the above saved "netenstate.txt" file to this script file
 * In case you want to have a GUI desktop by default add below command to the end

chmod +x /etc/startup.sh
 * Make this file executable:


 * Reboot to test the config

Network Mode

 * Bridge setup


 * Edit /etc/network/interfaces and add the following lines:

auto br0 iface br0 inet static address 192.168.0.20 netmask 255.255.255.0 gateway 192.168.0.1 bridge_ports all bridge_fd 0 bridge_stp off

cd /root/.config/autostart/ vim NWRestart.desktop
 * Now you need to restart the Networking service at startup to bring the br0 up:

[Desktop Entry] Type=Application Name=Network-Restart Exec=service networking restart Icon= Comment= X-GNOME-Autostart-enabled=true
 * Type in the below lines:


 * Routing setup


 * If you want to run WANem as a router, do not add the above config regarding br0 to /etc/network/interfaces. Instead insert the following lines:

auto eth0 iface eth0 inet static address 192.168.0.20 netmask 255.255.255.0 gateway 192.168.0.1

auto eth1 iface eth1 inet static address 192.168.1.20 netmask 255.255.255.0

vim /etc/sysctl.conf net.ipv4.ip_forward = 1
 * Now to enable IPv4 Forwarding

cd /root/.config/autostart/ vim sysctl.desktop
 * Now you need to enforce this forwarding on startup:

[Desktop Entry] Type=Application Name=SysCtl Exec=sysctl -p Icon= Comment= X-GNOME-Autostart-enabled=true
 * Type in the below lines:

WanEM alternative
Related: cyberciti.biz

In case you do not want to run a dedicated VM for Wan Emulator, run the below commands on any existing Linux Machine e.g. Slax Router:

vim /etc/rc.d/rc.local

sudo /sbin/tc qdisc add dev eth1 root handle 1: netem  delay 20ms 4ms 25% reorder 1% 25% loss 2% 25% duplicate 1% 25% corrupt 2% sudo /sbin/tc qdisc add dev eth1 parent 1:1 handle 10: htb default 1 r2q 10 sudo /sbin/tc class add dev eth1 parent 10: classid 0:1 htb rate 2097kbit ceil 2097kbit

Slax router do not have sudo command so remove it: /sbin/tc qdisc add dev eth2 root handle 1: netem  delay 20ms 4ms 25% reorder 1% 25% loss 1% 25% duplicate 1% 25% corrupt 1% /sbin/tc qdisc add dev eth2 parent 1:1 handle 10: htb default 1 r2q 10 /sbin/tc class add dev eth2 parent 10: classid 0:1 htb rate 2097kbit ceil 2097kbit

Tiny Core Linux
A Linux VM which will act as a minimal PC for Networking Labs.

An absolute minimum of RAM is 46mb.

A recommended configuration - Pentium 2 or better, 128mb of ram + some swap.

If you want the VM to have IP address temporarily assigned only or want it to use DHCP for IP address, you can directly boot the ISO file in the VM.

But if you want the VM to retain the IP address persistently, then follow the below process.

vi /opt/bootlocal.sh sleep 5 sudo ifconfig eth0 1.1.1.2 netmask 255.255.255.0 broadcast 1.1.1.255 sudo route add default gw 1.1.1.1 sudo echo nameserver 4.2.2.2 > /etc/resolv.conf
 * Download the CorePlus(~86 MB)ISO file from tinycorelinux.net
 * Create a new VM with 256MB RAM.
 * Install the OS from the ISO.
 * Boot into the VM.
 * Edit bootlocal.sh file:
 * Add following lines:

sudo filetool.sh -b
 * Save changes to disk:


 * Reboot

Installing Packages
Source: tinycorelinux.net

You can install packages using below command tce-load -wi pkg

Install Iperf3: tce-load -wi iperf3

To search for available packages: tce-ab

You can get list of available packages from these links: ftp://distro.ibiblio.org/tinycorelinux/ ftp://distro.ibiblio.org/tinycorelinux/8.x/

GNS3 Autostart in Ubuntu
sudo apt-get install gnome-shell gnome-terminal
 * Create a new VM with 1 GB RAM & 12 GB HDD.
 * Add 4 Interfaces to it. You will not be able to add them later-on due to a bug, so add sufficient at this stage
 * Install Ubuntu Server edition 16.04
 * Install gnome-shell(~187 MB) for the GUI

sudo add-apt-repository ppa:gns3/ppa sudo apt-get update sudo apt-get install gns3-gui
 * Add the GNS3 repository


 * Add the IOS files to this server using SFTP
 * Create a project and save it
 * Drag a cloud and use Generic Ethernet NIO to connect the router interfaces to outer world

sudo nano /etc/network/interfaces
 * Now edit interfaces file

auto eth1 iface eth1 inet manual auto eth2 iface eth2 inet manual auto eth3 iface eth3 inet manual
 * Add remaining interfaces to this file

ifconfig -a
 * Reboot and check if they appear in the ifconfig output


 * Select auto login for the user from gnome user settings page.




 * To enable the project auto start on GNS3 launch, Edit the .gns3 file with a text editor and change auto_start to true.




 * Add the GNS3 autostart on bootup, put a .desktop file in ~/.config/autostart to run applications after a user login:

[Desktop Entry] Type=Application Name=GNS3 Exec=gns3 --config /home/aman/.config/GNS3/gns3_gui.conf /home/aman/GNS3/projects/GNS3_Router/GNS3_Router.gns3 Icon= Comment= X-GNOME-Autostart-enabled=true

dbus-launch --exit-with-session gnome-session
 * If the autostart fails & you find DBUS ERROR in logs, then run the below command:


 * If you still get errors for interfaces being down, check the GNS3 logs.
 * In case you find authentication failure errors in Server logs, check the GNS3_Server & GNS3_GUI logs & copy-paste the correct credentials.