Yeah, some of those setups are serious. At a certain point, you're living in a datacenter instead of having a lab in your home. :) I've seen a couple that got new 20 amp circuits dropped for their labs.
I'm curious why in "pre-made VMs" there is no mention of Kali Linux[1]. I was under the impression it was by far the most robust / mature implementation.
Looks like that section focuses on how to get some vulnerable services running in the lab to test against, which is why Kali isn't on the list as it's an offensive distro for your workstation.
Kali is very convenient and well-maintained, but at the end of the day it's really just Debian with a bunch of common security tools pre-installed. I usually default to using it since it's easy to install and I know it pretty well, but it's perfectly reasonable for someone to run vanilla Debian or Fedora or whatever they prefer and customize the tooling themselves instead.
Going to second this, I keep a relatively up to date kali vm on hand, and it saves me the trouble of configuring and maintaining $randomtool I need when I stumble across the need for it, but I have my usual toolkit of security tools that I use on a daily basis deployed on my host OS as well.
“There’s a couple of good options (and this is not an exhaustive list) for pre-made tool VMs. Obviously you have Kali Linux for offensive tools and penetration testing, but you can also use Security Onion for the defensive side – intrusion detection and network security monitoring.”
It definitely is the most popular OS for security peeps, however those VMs mentioned in the article are purpose built to be vulnerable. They allow someone to spin them up and attempt to hack the boxes (likely using Kali) as a way of honing their offensive security skills.
another way is to increase defensive skills by starting with Damn Vulnerable Linus (DVL) and trying to close all holes and having someone try to crack it.
I talk about hardware, software (choose your own host OS, consider VMware Workstation), operating systems, vulnerable builds, example labs, and some ideas of what to test.
Hi Jeff! I actually hadn't seen your presentation before I wrote the post, I'm going to take a look at it today and might update some sections based on it. Thanks for the resource!
This is the way I went. You can get a lot of used machine for $300 these days. A pair of ThinkPads for Windows and Linux, a MacBook for OS X, and a dual quad Xeon Dell server is plenty and barely cost over $1,000 US.
Why would you really need physical machines for linux and windows, you can always virtualize clients and run dual boot mac/windows or single thinkpad with win/linux dual boot.
If budget is tight used servers are great value, for example del R710 is cheap with plenty of horsepower. Downside being space and sound.
I find the self-importance of these self-anointed "security professionals" quite annoying.
Case in point: this isn't a "lab". It's a computer running some software. You could replace this article with "buy a Macbook and install metasploit and VirtualBox".
(Or the sibling comment recommending tinfoil wallpaper)
The author works as a Security Engineer for google, not saying credentials are the be-all-end-all but I think they are able to claim themselves as a security professional without too much worry.
I know computational biologists whose setup is pretty much the same. But their computer is in a closet on-campus instead of a garage, so I guess that counts as a lab...?
[1] https://www.reddit.com/r/homelab/