Studying for the SANS Advanced Pen testing exam, I had to build my own environment to test each aspect of the course which covers 6 volumes and all OSI layers. I was curious about the newer protocols and technologies as I wanted to see how current the security tools were. After building the very robust environment in docker on a single machine, I now want to distribute the builds via compose and services and docker files. I think it is very neat that each environment embeds a security testing environment in its cloud network.
What it does
It provides all the security testing tools via the metasploit framework, scapy, sully etc. on multiple Linux OS on multiple containers as well as the attack surfaces to try out exploits in a self-contained environment. With docker 1.12 I am turning them into simple and complex services with interservice communication.
How I built it
It was built entirely on opensource tools (opennms, nginx, apache, puppetserver,freeradius, oauth2 etc.) , used docker containers, some innovative networking, firewall, and multiple DNS on docker 1.11 before migration to 1.12. Easy to tear down and shut down unwanted services and focus on groups of services at a time. Web, app, database, wireless, cloud. I sometimes used incremental images and sometimes dockerfiles.
Challenges I ran into
How to provision an SSL cert for the web proxy container which is hosted on the node. The private key and cert are created on the node but the ssl handshake takes place with the container. The security model here is a bit iffy as file systems are shared anyway with containers although namespaces are distinct, but I will think of a better solution.
Accomplishments that I'm proud of
I think I understand how the service works and what docker is expecting of the images that represent services, also I now understand the concept of composite services published via docker compose and how to isolate by namespace rather than by network per se
What I learned
Just the tip of the iceberg on a shakeup of the traditional PKI and the newer oauth2 signed tokens
What's next for nginx webservices
inter service links to the authentication services, notification from the data plane to the control plane and better certificate management