Setting up a test network

I’m looking to implement a test network that will allow me to evaluate different IDS and security options. Management is very concerned about exposure to the network, so I may need to try to do this from my broadband connection at home. For either option, how can I accomplish this?

I’m looking to implement a test network that will allow me to evaluate different IDS and security options. Management is very concerned about exposure to the network, so I may need to try to do this from my broadband connection at home. For either option, how can I accomplish this?

– Via the Internet

For your corporate network, what I think you’re looking for is called a DMZ, short for demilitarized zone. The way I have heard this term used is that this is an area of your network that is not protected or not as protected as the part of your network behind the firewall. Different vendors implement the DMZ differently from others. 

Cisco, for example, offers a third network port on some of its PIX firewalls that allow for this to be set up. If this is an add-on to your firewall, be sure to check if you’ll need to upgrade the firmware in the firewall to handle the additional interface. In the case of the PIX, you will need to upgrade from the restricted to the unrestricted IOS, which will cost some money. For corporate networks this may be an easier way to go since you will already have some type of firewall in place and making a simple hardware change should make this easy to put in place.

If putting a DMZ in place is going to cost more than it’s worth on your corporate network, consider this option – take one of your public IP addresses and give that to a separate, smaller firewall. This will allow testing to occur without having any of the traffic deal with your primary firewall. This allows you to set up just about any testing situation you want, whether it be for IDS, honeypot, etc., while not worrying about configuration changes in the firewall allowing some of this traffic onto your corporate network.

If you end up setting up your test bed at home, there is a less-costly way to set up a DMZ. I would suggest using two firewalls. The first will be your connection to the outside world and will point to the machine on the inside that will receive all traffic from the public interface.

To keep someone from compromising the first machine and getting access to others you may have, put a second firewall in place and put all your other machines behind it so there is an additional layer of protection for those machines. Depending on how paranoid you are, it is worth considering using two different brands of firewalls. If the first firewall were compromised, the perpetrator would not be able to get through the second firewall as quickly since it would be from a different vendor and therefore shouldn’t have the same vulnerabilities.