Cyber Range Essentials
Cyber Range Essentials
Construct a Hybrid Cloud-Physical Lab with Ansible and Terraform
About the Book
Cyber Range Essentials is a practical guide that will walk you through the creation of a foundational cyber range built with modern DevOps tooling such as Ansible and Terraform. You will use practices such as:
- Infrastructure-as-Code
- Configuration-as-Code
- Zero-Trust Networking
in order to build a remotely accessible, hybrid cloud-physical environment with:
- AWS
- Google Workspace
- Cloudflare
- Proxmox
Along the way, you'll learn about modern Auth N&Z protocols such as OIDC and SAML, and much more. With this lab, you'll be able to practice malware analysis, defensive cybersecurity, and red-teaming all in a safe (and cost-effective) environment!
Table of Contents
-
Introduction
- Prerequisite Knowledge
- Who might benefit from this course?
- What You Will Build
-
Recommended Hardware
- ACEPC AK1 Mini PC
- Raspberry Pi 4 Model B/4GB
- Cisco SG350-10 10-Port Managed Switch
- Dell T420
- Protectli Vault 4-Port Firewall Appliance / Micro PC
-
Lab Constraints
- Capital Expenditure
- Operational Expenditure
- Physical Size, Modularity, and Power Consumption
- Virtual Portability
- Remote Access
- How The Book Is Structured
- Running the Code
-
Building the Bootstrap Host
- All About Ansible
- run.sh
- Inventory and Installation
-
Final Steps
- Terraform versus Ansible
-
Constructing the Network
-
VyOS Initial Configuration
- Links
-
VLAN Design
- Layer 2 Segmentation for Security
- VLAN Descriptions
- Outbound Communications
- Connecting the Router to the Enveloping Network
- Network Inventory Distinctions
-
Networking on VyOS
- Router-on-a-Stick versus Alternatives
- Network Address Translation (NAT)
- Authentication and Authorization Considerations
-
VyOS Initial Configuration
-
Segmenting the Network at Layer 2
- Initial Configuration
- Connecting the Switch to the Network
- iOS Inventory
-
VLAN to Port Assignments
- Distinguishing Access Ports from Trunk Ports
-
Building the Firewalls
- VyOS Firewall Basics
- Global Ingress Rules
- Global Egress Rules
- Inter-VLAN Ingress Rules
-
Initial Cloud Integration: AWS, Cloudflare, and GWorkspace
-
- Amazon Web Services (AWS)
- Cloudflare
-
Google Workspace (GWorkspace, formerly known as GSuite)
- Email Considerations
- Identity Management
- Cloudflare
- GWorkspace
-
AWS
- Security Hygiene with Multi-Factor Authentication
- MFA: Virtual Devices versus FIDO U2F
- Creating the Bootstrap Administrator
- Account Architecture
- S3 and Terraform Remote State
- Account Creation
- A Side Note On The Sub-Account Root User
-
Single Sign-On (SSO): Authentication and Authorization
-
Local System Authentication on Linux
- Password-Based Local Authentication
- Key-Based Local Authentication
- Additional Hurdles and Solutions with Local Authentication
- Lightweight Directory Access Protocol (LDAP)
- Identity and Access Management (IAM)
- A Better Approach to AuthN & AuthZ
- 10,000 Foot View of SAML
-
Cloud Identity Simplification
- Problematic Designs
- Improvements via SSO
- GWorkspace versus Jumpcloud
-
GWorkspace Setup
- Mapping Workspace Attributes to AWS
- Creating the SAML App
- Granting a User AWS Permissions
-
Trust Relationship and Roles Creation
- Why not AWS SSO?
- Terraforming Roles and Relationships Across Accounts
-
Local System Authentication on Linux
-
-
Core Services
-
Proxy Server (prx-01)
- DNS
-
Caddy
- Historical Problems with SSL/TLS
- Lets Encrypt to the Rescue
- Caddy with the Cloudflare Provider
- Proxmox Malware-Analysis Virtualization Server (mal-01)
-
Proxy Server (prx-01)
-
Remote Access with Zero-Trust Networking
- Today’s Standard
- Why Not VPNs?
-
Configuring the Jump Server
- The Good and the Bad: Secure LDAP (LDAPS) with Google Workspace
- Remote Access with XRDP Server
- Implementation with Cloudflare Access
-
Install and Configure: Cloudflare Access
- The Big Picture
- Resources Required
- Configuring the Identity Provider
- Creating the Applications
- Creating the Tunnels
-
Automated and Ad-Hoc Administration
- Configuring the Credentials
-
SSM Hybrid Management
- Activation Code
- Log Storage with S3
- SSM Encryption In-Transit
-
Log Replication
- Vault Account
- Systems Account
- Installing the Agent
-
Updating SSM Preferences
- Pricing Note
- Finishing it Off
- The Result
-
Conclusion
- Where to Go Next?
- Thank You
The Leanpub 60 Day 100% Happiness Guarantee
Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.
You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!
So, there's no reason not to click the Add to Cart button, is there?
See full terms...
Earn $8 on a $10 Purchase, and $16 on a $20 Purchase
We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.
(Yes, some authors have already earned much more than that on Leanpub.)
In fact, authors have earnedover $14 millionwriting, publishing and selling on Leanpub.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them