My Homlab Micro-Segmentation and Pentest setup

In this post, we will take a look at how I used NSX-T's T1 gateway to create a micro-segmented network in my homelab for my pentest setup.

I wanted to create a micro-segmentation in my homelab, to keep my Kali linux and ParrotOS isolated from my primary hosts and VMs network, as well as from the external (wan) network. This is just to ensure that a test does not accidently bring down my base infrastructure. Below is a schematic of my final network configuration (thanks to NSX-t's Network Topology view):

This segmented network is completely isolated from external network, vm network and the host management network. The attacker VMs would be connected to the ATK-SEG and the victim VMs would be connected to the VIC-SEG.

Let us dive into the procedure for setting this up:

1- We start of by creating a new transport zone. Navigate to System--> Fabric--> and click on add. Enter the following settings:

2- We configure the host as a transport node. Go to system->fabric->Nodes ->transport nodes. Select the host you want to setup as nsx transport node and click "configure nsx". Enter the following configurations:

I am assuming we already have a VDS setup on the host, with no uplinks configured on the vds.

3- Now, we setup 2 network segments (in the overlay transport zone previously created), in two different subnets. Go to Networking tab -> Segments -> "Add Segments". We create the ATK-SEG and the VIC-SEG segments as shown in the screen captures below:

Now that we have the segments created, we now connect the VMs to their respective segments to complete the micro-segmentation:

One of the reasons for me creating the micro-segments is also to ensure that intentionally vulnerable VMs such as the Metasploitable Linux VM is not connected to any externally accessible network.

We will look into deploying the metasploitable in more details in the next post. Stay tuned!

51 views0 comments