Who am I? What do I do?

My name is Tony Robinson. On the twitters and the infosec community I’m known as da_667. I’m a Senior Security Analyst at a rather large company. At the end of the day, I manage the IDS for the company’s corporate data network and interface with monitoring, incident response and forensics frequently.

My focus is in packet analysis, IDS and NSM in general, but also like to do malware analysis whenever I’m given something fun to play with.

What hardware do you use? And what Software?

A lot of my heavy lifting I do at home. I have a Whitebox supermicro server I built as my multi-purpose VM lab. I’ve named her Valhalla. She handles everything I throw at her.

Hardware Specs:

Software - VMware ESX 5.1 running:

You might be wondering why I run two PF Sense firewalls and it’s not for CARP/HA. One firewall is segmentation from my physical home network to the virtual networks, while a second is an Extremely strict firewall to my “containment lab”, which contains VMs hosting malware analysis tools that I use for malware analysis and detonation/observation.

In addition to this, I have a gaming desktop running Win7 to run vSphere client and mremoteng to manage all these things. I also have a Macbook from my workplace for doing heavy lifting while I’m on the go:

What would be my dream setup?

Well, I’d love a VM server that had a supported RAID controller. At which point, I’d probably drop 2x 128GB SSDs in the box for a RAID 1, and 2x 2TB platter drives for a storage array in RAID 1. Mo’ RAID means Mo’ uptime.

Is there anything I do to streamline my workflow?

For my VM lab at home, I manage my VMs from a Windows box with vanilla vSphere client, and a special piece of software called “mremoteng”. This software has been the single best thing for managing multiple VMs I could have ever asked for. Support for RDP, ICA, Telnet, SSH, tabbed sessions, multiple sessions, and full session configuration for Telnet/SSH via PuTTY sessions (this means support for private keys via putty’s key management tools, etc.). If you manage a large mix of virtual machines on ESX, use mremoteng, it’s friggin awesome.

The other bit of general advice I can recommend: a lot of my testing VMs need to be rebooted frequently. Maintain good snapshots, ensure you have an NTP server configured, and EVERY time you revert a Linux VM, stop the ntp service, run ntpdate to sync to your ntp server, then restart ntp. You’ll thank me later. Some things act VERY odd if the date/time on the VM is too far out of sync. Alternatively I think there are options to sync your VMs to the system’s time.

Is there anything you want to plug?

If you need a quick way to set up a Snort IDS sensor for a wide variety of Linux distributions, consider using my pet project autosnort :)

Would like to give a shout-out to my local hackerspace Unallocated Space and thank “The Security Setup” twitter account for the opportunity to talk about my setup :)