SIEM Project Lab Setup | Part 6 | Network Diagram with Draw.io
In this multipart walkthrough series, I demonstrate how to get a virtual home lab setup that can be used to practice cybersecurity skills. Namely, this lab helps one construct a Security Information Event Management (SIEM) lab. Since we are now in part 6 of this series I believe it is a good time to recap what we have done so far:
Part 1: I walk through how to install Oracle VirtualBox, a powerful hypervisor useful for simulating all sorts of lab environments, at no financial cost.
Part 2: We discuss and walk through how to install an Ubuntu VM within VirtualBox. Ubuntu is a free, very useful Linux distribution.
Part 3: Involves installing a Linux Mint VM, of course in VirtualBox as well.
Part 4: This exercise is about installing a pfSense VM. pfSense is a free, open sourced firewall/router solution which is useful for learning how to configure routers and firewalls of course.
Part 5: In this we we us add a Wazuh OVA to our growing network. Wazuh is a Security Information Event Management (SIEM) solution which of course is free and open sourced.
In summation, we have two Linux computers, a firewall/router, and a SIEM device in our network.
Ok, what next?
Now we can start practicing attacks and all that sort of stuff, right? Well, not so fast my friend. In every network setup it is useful, dare I say required, to have a network diagram in place so that everyone in the IT group that needs to know the network, can have a map of sorts to see what the network setup is.
Network Diagram Types
There are two types of network diagrams. There is a physical diagram, which shows the layout of the devices, and may also include network specific information such as subnets, type of cabling, etc. The second type is a logical diagram. Logical diagrams are more about showing the flow of data through a network, which is super useful for conversations involving VLANs and things of that nature. For this article we are going to combine the two concepts a little, but you'll like it I promise. Lets first talk about the tool we are going to use today, which is called draw.io
?
What is draw.io?
?Draw.io is a website which you can go to now if you like to check it out as you read this. It is a free tool that one can use for all sorts of diagrams, similar to Microsoft Visio or Lucid chart and others. If you investigate the about page of draw.io, one thing sticks out: their mission statement of "provide free, high quality diagramming software for everyone." Pretty cool, and there's not much more I can say about it than that. Free, high quality? I'm sold. Draw.io also has a blog if you want to check out some more in depth tips and tricks that one can do with their platform. Feel free to explore it at your leisure. At this point though, lets dive into draw.io and get this diagram built!
?The Process
Step 1: Open a web browser and go to draw.io
Step 2: If possible, sign into your cloud provider (Google, OneDrive, etc.) so that your designs can be saved automatically for safe storage and sharing capabilities with friends and colleagues.
?
Step 3: Once you're signed in to your cloud provider, click on Create New Diagram
?
Step 4: Name your project SiemNetworkDiagram.drawio. This naming convention I use here is called CamelCase, which is where you capitalize the first letter of each word in your filename to make longer filenames easy to read.
?
?Lets leave the fileType XML file and you can choose where in your cloud account as to where the file is stored.
?
?
Once we save the file, this takes us to the main page of draw.io. If you've ever used a flowchart program before, there's probably quite a bit of familiarity with it. The far left side shows a bunch of shapes and you can see other submenus such as "Misc, Advanced, Basic," etc. where more tools and options are. Feel free to click around and play with a few of the menus before moving on.
?
?
Step 5: In the upper left corner of the main page, you'll see a search bar. Type in "Computer" and press Enter. You'll notice that directly beneath the search bar that we now see a host of different shapes related to computers.
?
Step 6: Lets click and drag one of these computer shapes to the middle of our canvas. Pick whatever shape you like. You don't have to choose the same one that I did. This computer is going to represent one of our Linux VMs that we installed in prior articles.
?
?
Step 7: Since we need a second computer to represent the other VM that we installed, right click on the computer and then click on "Duplicate" in the menu that appears.
?
Notice that we now have a second machine on our canvas.
?
?
Step 8: Lets go back to the search bar in the upper left corner. This time, lets type "firewall" as our search term. Click and drag whatever firewall icon that you want to use. This firewall represents the pfSense router that we installed a couple articles ago.
?
?
Step 9: Lets go back to the search bar again, and this time lets search for "server." Drag a server icon onto our canvas.
?
?
Step 10: Now that we have our components, lets make some connections between them. Roll your mouse pointer over one of the Linux PCs. You'll notice that four arrows appear around them.
?
?
Roll your pointer over one of the arrows and then left click and hold the left click button and drag your mouse to the firewall. Once you see the line make a connection you can release the left click button. It should look something like the screenshot below.
?
?Step 11: Notice that when we made that connection, a new sidebar appeared on the right side of our convas. It shows a bunch of extra tools that we have access to for customizing the connection that we just made. Lets make the line that we made straight. Examine the screenshot below, see where the red arrow is pointing? To make the vertical list appear showing the line types, click the dropdown arrow directly above it. Notice that the dropdown that I'm referencing is a darker shade of gray than the other ones around it, if that helps.
?
?
The icon in this list that we want to click on is the first one. It will make the connection that we just made between the VM and the firewall a straight line, which will make our diagram look a little more streamlined if you catch my drift.
?
?For extra reference, check out the screenshot below, the line I'm talking about is highlighted with a blue box around it. Click that one.
?
?
Once you click on the straight line, the diagram should look like the screenshot below.
领英推荐
?
?
Go ahead and do the same process for the other VM as well as the server icon too. When all of those items are connected, it should look something like this
?
?One thing to note as you can see in the below screenshot is that when you pull the line towards the device you're connecting, you'll notice that the device being connected will show itself surrounded with blue x's. Those are individual connection points that help you show the connections in a more smooth way from a visual standpoint, so observers can see your connections a little clearer. Feel free to use this to your advantage.
?
?
Step 12: You may be thinking that this diagram doesn't look very good because the lines are only arrows, which doesn't really show this diagram as an information system. You're right, which is why now you want to click on one of the lines, and then over on the right sidebar, roll over the dropdown that shows the arrow pointing to the right. You'll see a dropdown menu appear showing different options of line types. Click the second one, which is called "link." You can see what it looks like below.
?
?
Once you click on the link line type, the line will change to look like something in the below screenshot.
?
?
Go ahead and do this for all of the connections. When you're done, it will look like the screenshot below
?
?
?
Step 13: I almost forgot, lets add one more icon to the diagram. In the upper left corner, the search bar, lets type in "Internet." Choose the icon that you want to use, drag it to the canvas, then drag a line to it from the firewall to the internet, and change the line type to "link" like the other ones. It should look like this when you're done
?
?
Step 14: At this point we have a diagram but we don't have any idea what each component does. There aren't labels that suggest data flow or where each machine or connection plays a role in the process. Lets change that. Pick one of the PCs and double click on the line connection between it and the firewall. You'll notice that a textbox appears, such as what you see in the below image.
?
?
Step 15: Type in "1. Generate Network Activity" on the line that you clicked.
?
?
Go ahead and do this for the other PC as well. When you're done, it will look something like this:
?
?
?
Step 16: Double click the connection between the firewall and the Internet and type in "2. Allow or block network activity based on firewall ruleset." I would suggest clicking and dragging the text that you created and move it closed to the internet symbol as we are going to need the space below it.
?
?
Next, double click just beneath the number 2 item you input a moment ago to create another textbox. Now type in "3. Create logs based on activity"
?
?Step 17: At this point, double click the connection between the firewall and the server and type in "4. Send firewall logs via syslog to server." Click and drag this text closer to the firewall as shown below
?
?
Double click just above number 4 and type in "5. Ingest network activity and firewall syslog."
?
?
Double click just above number 5 and type in "6. Generate alerts and records based on ingested network activity and firewall syslog"
?
Step 18: Lets do one final aesthetic step. Single click on one of the links between a PC and the firewall. Notice in the upper right there are a few colored boxes. For this step, lets click red. Notice how when you do that, if you click over to the other PC link, that you can clearly see the link has changed to red.
?
?
Lets click the other PC link and make it red too.
?
?
Lets click the link between the firewall and the Internet and make it blue and then the link between the firewall and the server and make it green.
?
Step 19: Lastly, double click on one of the PCs, you'll see a text curser appear beneath it. Type in "Linux Mint." Then, double click the other PC, type in "Ubuntu Linux." Follow the same process for the other devices to label them accordingly. "Internet" for the Internet item, "pfSense" for the firewall, and so on.
Note: at any time you can double click any text that you have input and on the far right side you'll see that you can increase the text size. I increased the size of my device labels for differentiation purposes. When you're done, it should look something like this.
?
?
You now have a network diagram. Nice work! This is a good starting point, as there are many, MANY more customizations that can be used. For the purposes of this exercise though, this works well. Notice the numbered steps too.
For any newcomers to your network security team, a diagram like this can help them become acclimated to your environment and such a diagram can be useful in troubleshooting situations. Thanks for following along!
?
If you feel like this diagram was useful to you, feel free to share it with someone else who may also find it useful. If you have any questions or comments about this guide, feel free to leave a comment and I'll do my best to respond/help with whatever you need.
?
Have a lovely day!
Feel free to investigate the next article in the series below