A hands-on showcase of Network Segmentation, Firewall Management, and Secure Operations...
This Project demonstrates how to build a realistic, segmented Network Environment on AWS. It moves beyond basic "Cloud Networking" into the realm of Security Engineering, featuring a Perimeter Firewall, a DMZ, and a centralised SIEM/XDR "Vault" for Real-Time Threat Detection...
- Project Overview
- Architecture Diagram
- Lab Components
- The Secure Tunnel (OpenVPN & Hybrid NAT)
- Build & Verification Journey
- Key Learnings & Troubleshooting Highlights
- The "Vault" (Wazuh & Suricata)
- Evidence of Verification (Screenshots)
- Next Phase
This Lab simulates a secure, Multi-Tier Infrastructure with:
- Public-Facing DMZ: Hosts The Web Server Simulation...
- Isolated Internal Zone: Secure Subnet for Private Assets and Management...
- pfSense [The Gatekeeper]: Acts as The Perimeter Firewall, NAT Gateway, and Segmentation Enforcer...
- Wazuh [The Vault]: Centralised SIEM/XDR for Log Analysis and Host-Based Intrusion Detection...
- Suricata [The Eyes]: High-Performance IDS/IPS Engine monitoring all VPC Traffic...
Mission: To demonstrate Defense-in-Depth, Least Privilege Networking, and Real-World Security Operations...
| View Type | Detailed Architecture Diagram |
|---|---|
| Dark Mode | ![The Bank Lab Architecture Diagram [Dark Mode]](/emmanuelmuturia/The-Bank-Lab/blob/main/assets/images/architecture_diagram_dark_mode.png) |
| Light Mode | ![The Bank Lab Architecture Diagram [Light Mode]](/emmanuelmuturia/The-Bank-Lab/blob/main/assets/images/architecture_diagram_light_mode.png) |
| Sketch | ![The Bank Lab Architecture Diagram [Sketch]](/emmanuelmuturia/The-Bank-Lab/blob/main/assets/images/architecture_diagram_sketch.png) |
| Component | Purpose | Subnet / Private IP | Status |
|---|---|---|---|
| pfSense Firewall | Perimeter, NAT, Segmentation, IDS | 10.0.10.5 / 10.0.20.10 | ✅ Running |
| DMZ Web Server | Public-Facing Service Simulation | 10.0.10.x | ✅ Running |
| Monitoring [Wazuh] | SIEM Manager & Security Dashboard | 10.0.20.41 | ✅ Running |
| Internal Instance | Mock Internal Asset | 10.0.20.x | ✅ Running |
To manage The "Vault" without exposing it to the Public Internet, a secure Remote Access VPN was established:
- Encapsulation: Configured an OpenVPN Server on pfSense using UDP Port 1194.
- The Routing Paradox: Solved the "Asymmetric Routing" issue inherent in AWS by implementing Hybrid Outbound NAT on the pfSense LAN interface.
- The Result: Remote Admin traffic is "hidden" behind the pfSense Internal IP, allowing seamless access to the
10.0.20.0/24management subnet without complex AWS Route Table modifications.
1] Terraform Foundation: Provisioned the VPC, Subnets, and Security Groups with "Management" and "DMZ" separation... 2] The Firewall Handshake: Configured pfSense with Dual ENIs, disabling Source/Destination Checks in EC2 to allow Traffic Routing... 3] The VPN Bridge: Established a Tunnel from the local Management Console to pfSense, enabling private access to internal assets... 4] SIEM Deployment: Installed Wazuh All-in-One on a dedicated Ubuntu Instance within The Management Subnet... 5] The Telemetry Pipeline: * Deployed Wazuh Agents to DMZ and Internal hosts... * Configured Syslog-over-UDP [Port 514] from pfSense to Wazuh... * Enabled Suricata EVE JSON Output for High-Fidelity Metadata [TLS versions, SSH Signatures]... 6] Traffic Verification: Confirmed that Nginx Logs and Nmap Scan Alerts are successfully traversing The Network and populating The "Vault"...
- The AWS .0-.3 Trap: Reserved IPs in AWS mean The Gateway cannot be
.1. Our pfSense LAN sits firmly on10.0.20.10... - Hybrid NAT Logic: Initially, VPN traffic was black-holed at the pfSense LAN. Switching the Outbound NAT rule from WAN to LAN allowed the internal VPC fabric to recognise and return return packets to the VPN client...
- SIEM "Allowed IPs": Wazuh's
ossec.confis strict. Remote SysLog Packets from pfSense were dropped by The Manager until the specific Internal IP [10.0.20.10] was whitelisted... - JSON or It Did Not Happen: Standard SysLog Text is difficult to parse. Switching Suricata to EVE JSON Output allows Wazuh to automatically decode Fields like
src_ip,event_type, andalert.signature... - Source/Destination Check: AWS Networking defaults to blocking Traffic not destined for the Instance's own MAC. Disabling this on the pfSense ENIs was critical for The VPC "Heartbeat"...
- Suricata Tuning: Enabled
ETOpenRule Sets and configured Custom ICMP Rules to verify The Detection Engine... - Log Ingestion: Used
tcpdumpandarchives.logto trace the journey of a Log Packet from The WAN interface to The Wazuh Dashboard... - Visibility: Achieved Real-Time Alerting for Nmap Scripting Engine [NSE] Scans and Unauthorised SSH Attempts...
Visual proof of The pfSense Interface Configuration and The Core AWS Networking Setup...
Demonstrating the reach of The Wazuh Manager across The Segmented Subnets...
The Payoff: Actual Security Events captured by The IDS [Suricata] and decoded in The SIEM [Wazuh]...
![The Suricata Status [pfSense]](/emmanuelmuturia/The-Bank-Lab/blob/main/assets/screenshots/screenshot_5.png)
![The Suricata Status [Wazuh]](/emmanuelmuturia/The-Bank-Lab/blob/main/assets/screenshots/screenshot_6.png)
![The Security Alerts [pfSense]](/emmanuelmuturia/The-Bank-Lab/blob/main/assets/screenshots/screenshot_7.png)
These are some of The Firewall Rules and NAT Configurations that were implemented to control Traffic [Inbound and Outbound]...
![The Firewall Rules [LAN]](/emmanuelmuturia/The-Bank-Lab/blob/main/assets/screenshots/screenshot_8.png)
![NAT [Outbound]](/emmanuelmuturia/The-Bank-Lab/blob/main/assets/screenshots/screenshot_9.png)
![NAT [Port Forwarding]](/emmanuelmuturia/The-Bank-Lab/blob/main/assets/screenshots/screenshot_10.png)
- Intrusion Prevention: Transition Suricata from IDS to IPS Mode to actively block malicious IPs...
- Vulnerability Management: Utilize Wazuh's Vulnerability Detector to patch The DMZ server...
- File Integrity Monitoring [FIM]: Configure Alerts for unauthorised changes to
/etc/or Web Directories...