|Authors:||Carlos Perez & David Perez|
NETinVM is a VMware virtual machine image that provides the user with a complete computer network. For this reason, NETinVM can be used for learning about operating systems, computer networks and system and network security.
In addition, since NETinVM is a VMware image, it can be used for demonstrations (i.e. in classrooms) that can be reproduced by students either in a laboratory or on their own laptop and thus, at home, at the library... For these reasons we present NETinVM as an educational tool.
NETinVM is a VMware virtual machine image that contains, ready to run, a series of Kernel Virtual Machine (KVM) virtual machines. When started, the KVM virtual machines create a whole computer network; hence the name NETinVM, an acronym for NETwork in Virtual Machine. This virtual network has been called 'example.net' and has fully qualified domain names defined for the systems: 'base.example.net', 'fw.example.net', etc.
All of the virtual machines use the Linux operating system. The VMware virtual machine is called 'base' and it runs Debian 10. Kernel Virtual Machine machines also use Debian 10 and they have different names depending on their network location, because they are grouped into three different subnets: corporate, perimeter and external. The subnetworks are named 'int' (for internal network), 'dmz' (for DMZ or demilitarized zone, usually used as a synonym for perimeter network) and 'ext' (for external network).
One of the KVM machines, 'fw', interconnects the three networks ('int, 'dmz' and 'ext'), allowing for communication and packet filtering. The rest of the KVM machines have only one network interface, connected to the network they are named after:
KVMs connected to the perimeter network (DMZ). They are supposed to be bastion nodes. Two preconfigured bastion nodes are provided, each one with its appropriate alias:
Because a picture paints a thousand words, or so they say, the following figure shows NETinVM with all of the virtual machines running inside.
All of the elements referenced before are shown in the image with their IP and ethernet addresses. The following rules have been used for assigning addresses:
In addition to the computers and networks already described, the figure also shows the real computer where NETinVM runs ('REAL COMPUTER') and VMware Player's typical network interface ('vmnet8'), which optionally interconnects NETinVM's networks with the external word.
When they boot, all KVM virtual machines get their network configuration from 'base', which provides DHCP and DNS services to the three NETinVM networks through its interfaces 'virbr-ext', 'virbr-dmz' and 'virbr-int'.
Routing works as follows:
Thus, IP traffic exchanged among the three networks goes through 'fw', while traffic going out from NETinVM to the external world goes through 'fw' if (and only if) it comes from the internal or perimeter networks. All traffic going to the real world (outside NETinVM) exits through 'base' which, applies IP forwarding and NAT to this outgoing traffic, and routes it back through the external network using the routing table 'netinvm'.
Communication between 'base' and any KVM machine, in both directions, is direct, without going through 'fw'. (When the communication is started from a KVM machine, the IP address of the interface of 'base' in the corresponding network must be used.) This configuration permits access from 'base' to all KVM machines using SSH independently of the packet filtering configuration at 'fw'.
To start NETinVM you need to download the VMware image, uncompress it and run it with the VMware Player program, which can be downloaded free of charge from VMware.
Once the VMware has been started, base.example.net is running, offering a standard KDE desktop for the unprivileged user user1. Its password is "You can change me.". The same password is valid for root, also. (The same users and passwords are also valid for KVM machines).
The idea is for base to be a desktop in which to work while doing exercises and that's why it includes LibreOffice and other similar tools. It is also designed to be the best place to monitor the traffic in the internal networks. To this extent, each network switch has a mirror port named after the corresponding network (mirror-ext, mirror-dmz and mirror-int). And base also includes wireshark and tcpdump. Other tools can, of course, be added by the user.
Starting in 2010, NETinVM includes a "Folder View" component labelled "KVM machines" with graphical links to applications:
When clicked on them, the links perform the following actions:
The command netinvm_run_all is the magic word that brings to life almost everything in NETinVM. Specifically, it launches the following elements:
Although NETinVM is ready to run up to six KVM virtual machines per network ('a' through 'f'), with just the four mentioned above it is possible to develop a wide range of activities. Of course, in practice, the less KVM virtual systems running the faster the entire system will run.
Each KVM virtual machine starts up on a different KDE virtual desktop:
On each desktop the following elements, all shown in the figure below, can be identified:
Once all KVM virtual systems have been started it is easy to locate their corresponding windows by using the list of windows from KDE, which can be accessed by clicking on the "Window list" icon in the panel or pressing 'Meta-w'. The result should be similar to the following figure:
All KVM virtual systems have an unprivileged user user1. The default password for both user1 an root in all KVM machines is (as with "base") "You can change me.".
Although the KVM version of NETinVM has been designed to offer the same interface than previous NETinVM releases, this version uses libvirt. For this reason, NETinVM can also be used to learn about KVM and libvirt using online documentation.
In addition, the "virt-viewer" application can be used to launch a LXQT desktop in any of the KVM machines. For example, to start LXQT in "exta":
The following documents describe some sample exercises that can be carried out using NETinVM.
Capture an HTTP session from "exta" to "www.example.net" using Wireshark: Capturing an HTTP session with Wireshark.
Perform a full port scan against "www.example.net" from "exta.example.net": Port Scanning with Nmap.
NETinVM can be downloaded directly from its main page: index.html