home.lab: An Introduction

An interviewer’s best question and an analyst’s most challenging answer

Growing in cybersecurity all but requires you to be a bit of a nerd or techie. What this means for most of us in the business is that we love to tinker and play with security tools and figure out how to break and fix things. This has led to the trend of building home labs for many in the industry, using it as a test bed for knowledge, experience, and, most of all, fun.

For many just starting out with thinking about a home lab, it can be easy to feel overwhelmed and possibly like you don’t have the resources or capabilities to do such a thing; however, the chances are that you have more than enough resources to start out working on projects at home without even needing an independent system. I’d even put money on the idea you’re probably using a system in which you can also play games, which means you can likely start running a virtual environment on that system.

But before we get started, let’s break down the idea and utilities of a Home Lab.

Home Grown

Putting together a home lab is a critical step in self-development not just for those in cybersecurity but also abroad in the I.T. space. The reason for this is it provides us a means to test and verify our skillsets with different technologies we will encounter day-to-day, and likewise, allows us to understand the implementation of technologies we will expect to use down the road. Many of these skills are ‘Use It or Lose It’ simply because there is far too much to learn and insufficient brain capacity to store it all. If you asked me to write a complex query in, say, Splunk, I’d tell you to ask me from four years ago. While I have more experience now overall, my skills in certain regions have deteriorated from honing on a micro level to a macro level because I’m not using them anymore.

Home labs allow us to counter this effective brain degradation by enabling us to test skills daily with these technologies. It also allows us to secure ourselves even more by building a safe environment for all of our beautiful devices, from computers to IoT. This creates practical experience, much like a part-time job, and to me, it sets serious professionals apart from the herd. This two-fold purpose gives us an excellent background for the stage we are preparing to set.

No Such Thing As Free Lunch

We should start with what you want in your home lab. You’ve probably asked this question, and even some of the more practiced in having home labs ask this a lot, too. You may think, ‘Well, I can’t afford a $xx,xxx license to XYZ tool. How am I supposed to do anything?’ To that, my dear reader, there are a few solutions.

Freeware licensing is some of the most common you will find. Freeware essentially is, as it sounds, open source or community-driven development (usually). Sometimes, this may also include de-rendered versions of commercial software that may support itself with something like ads or borderline being adware. These types of software let us use them freely, and often even for commercial use. The drawback is that there is limited to zero support. Unless there is a dedicated community of users and developers, there won’t be much troubleshooting if something breaks. This type of software demands time and patience, and while it often can be feature-rich, it can be clunky, clumsy, and downright difficult to grasp.

Community Edition licensing has been around for quite a while, and it is a standard of licensing that skims just above freeware. Sometimes referred to as CE licenses, these are usually provided as ‘free’ but are severely limited in capabilities compared to a paid version of the same software. Likewise, some may not approve you for getting a license to the software and could require a ‘business’ email address. However, there are no terms beyond this, and they allow you to use some popular software tools because of it.

Trial Licensing is probably the best and the worst kind of license due to the fact that it likely gives you genuine full use of a tool, but it is constrained on time, usually just thirty days. Afterward, it either bricks the system or reverts to a community edition-style license.

Finally, you have Developer Licensing. A specialized license that some toolmakers provide, a Developer License is likely the second best kind of license to get, with only a couple of drawbacks compared to the other two types. First, there is likely some form of agreement that you make with the vendor that, in exchange for a free license, you are expected to contribute to the development of the tool in some capacity. Often, this is seen as an integration, plugin, or use case you are making for the tool (which, by the way, you are likely giving up the rights to). In tandem with this, you may also be agreeing to be audited at any time for developmental progress and use of the tool. Secondly, these licenses usually only last a short period of time, and you must ‘renew’ them, which goes back to showing the work you are doing. What are the benefits of these types of licenses? Suppose you’re a savvy user of the tool and want to contribute to it. In that case, the advantage is that you likely get fewer usage restrictions or more capabilities/functionality that would otherwise be locked behind a paywall.

For a comprehensive list of software you can use at home, check out this list that we’ve taken the time to build here (we will modify it as we see fit; it’s not holistically comprehensive).

Where Do I install.bh?

If you’re someone who’s been a lifelong techie, the chances are that you have some hardware lying around you can drop your software on and get rolling. If you don’t, though, options are still available for you:

• Used Hardware from eBay or local Shops - Let’s be honest, it’s a great place to shop for used hardware at a discount, and if it’s going to be for a lab, you can just wipe everything and start fresh.

• Refurbished Sellers - Sellers like TechMikeNY referb server hardware that is still solid to use. It’s a bit more expensive than the used market, but you get better peace of mind if you plan to run a more robust infrastructure (DNS, Media, NAS, etc.)

• Buying New - I don’t recommend this option unless you like living on the bleeding edge of a bleeding wallet; however, you can just buy new hardware, too. In this case, consumer-grade is still more than enough to power through dedicated home lab usage. Still, if you plan on throwing more business-level loads onto it, like running a business from your home, I would always recommend business-class hardware to improve your reliability.

The core components of any good lab environment are not far off from many of us who also game as a hobby: lots of cores, lots of RAM, and tons of disk space. Fortunately, you can skip the graphics card if you have embedded graphics within the CPU (check your CPU’s model to verify.) The more RAM and cores you have, the easier it is to use the hardware to virtualize much of what you desire to do, rather than having a bunch of independent systems with only one job, leaving a lot of computing resources on the table that could be consolidated. The more disk space, the more data you can store, especially with a NAS or SIEM tool. Many of the applications and operating systems we choose give us minimum system requirements, making our lives a lot easier when scoping out a system for usage in a lab. Be careful when you mess with certain operating systems, specifically ones that operate NAS functions, as those tend to cater to a delicate balance around RAM, Disk Space, Cache, etc (looking at you, ZFS).

Speaking of operating systems, you need to consider the type of operating system… Its Linux. It’s always Linux. Why? While Windows servers are prominent, the vast majority of cloud systems and infrastructure are Linux-based, and many security platforms, you will find, run on Linux.

The type of Linux you use can be something you can sort out on your own, but here is a quick briefing on the types of Linux you could deploy:

• Ubuntu: This is one of the most user-friendly Linux distributions, making it an excellent choice for beginners. It has a large community and extensive documentation. Ubuntu is known for its regular updates and has several flavors that cater to different needs, such as Ubuntu Server for server environments and Ubuntu Desktop for general use.

• Fedora: Known for having the latest features and technologies, Fedora is a cutting-edge distribution. It’s more suitable for users with some experience with Linux and are comfortable dealing with occasional bugs or instabilities arising from its rapid update cycle.

• CentOS (now CentOS Stream): Historically, CentOS was widely used in enterprise environments due to its stability and long-term support. It was a free derivative of Red Hat Enterprise Linux (RHEL). However, with the shift to CentOS Stream, it is now a rolling-release distribution that serves as a testing ground for RHEL.

• Debian: Debian is renowned for its stability and reliability. It’s less frequent with updates than Fedora but is well-suited for environments where stability is critical. Debian forms the basis for many other distributions, including Ubuntu.

• Arch Linux: This is a choice for those who want complete control over their system. Arch is a rolling-release system known for its simplicity and customization. It’s more suited to experienced users due to its manual installation and configuration process.

• openSUSE: openSUSE offers two main versions: Leap and Tumbleweed. Leap is more stable and is suitable for servers and workstations, while Tumbleweed is a rolling-release version, ideal for those who want the latest software.

• Kali Linux: Specifically designed for penetration testing and security auditing, Kali Linux comes with a multitude of security tools. It’s an excellent choice for those setting up a lab focused on cybersecurity.

• Raspberry Pi OS: For those using Raspberry Pi hardware in their home lab, Raspberry Pi OS (formerly Raspbian) is a lightweight option optimized for the Raspberry Pi hardware.

• TrueNAS Scale: This is an open-source NAS and hyper-converged infrastructure (HCI) software that is also based on Debian. It’s developed by iXsystems, the company behind the well-known TrueNAS (formerly FreeNAS) software. TrueNAS SCALE is designed to be scalable and flexible, making it an excellent choice for home labs where storage management, file sharing, and data protection are priorities.

For deploying these guys, refer to the documentation provided by the developers on how to install them. Various install options are based on your deployment methodology (virtual machine, bare metal, etc).

Need a little more direction? I use a healthy mix of Ubuntu Server (runs some dedicated applications), TrueNAS Scale (NAS and virtualization functions), Kali Linux (pen-testing stuff), and Raspberry Pi OS (DNS) in my lab environments (on-prem and the cloud).

The Cloud?

Yes, the cloud. If you haven’t boarded this train yet, you’ve been missing out on learning critical skills on how our current version of the internet works. The cloud does cost money to run, but it can still be done on a budget if you know where to look. While I don’t think you should build your home lab in the cloud (unless you can afford it), learning how to spin up and spin down services for experience’s sake is still valid. Fortunately, the major cloud providers also see an advantage in getting people to learn on their platforms, so many offer free tiers and credits to help people along, meaning you don’t have to, at least initially, shuffle out money to stand stuff up.

• Microsoft Azure: Azure is big in government, particularly in the defense area. Because of this, if you plan on getting a job doing secret squirrel stuff, I would highly recommend spending some time here. Azure offers three sets of ways to try their stuff: They offer a $200 credit on a 30-day trial, there are services you can try for twelve months for free, and then there are permanently free services you can use.

• Amazon Web Services (AWS): AWS is probably the easiest to learn here, as they simply have a ‘Free’ tier under which they publish cloud services at zero cost. While these aren’t powerful or out-of-this-world systems, they at least allow playing with the service without incurring a fee.

• Google Cloud Compute (GCP): GCP has some powerful big-data tools and is helpful for many computational operations (go figure, Google knows how to do analytics). However, it is Google, and using their services always comes at a cost; in this case, it’s not privacy. GCP offers a respectable 90-day trial, but they do offer $300 in credits to use, $100 more than Azure, and this credit includes use for any Google API service, like Maps. There are some free tier services as well that you could use.

There are other services as well. Oracle Cloud Infrastructure (OCI) is an option with credits to use for learning. If you’re looking for a more beginner-friendly introduction to running your cloud platforms, Digital Ocean is another great option, albeit you will have to pay for your resources here. Only looking to host an application, like a Discord Bot? Heroku is a great PaaS option.

What’s Next?

Well, the world is your oyster, and there are countless options on where to take this next. Want to play around with a RADIUS server for your wifi? Want to wire your home with CAT6a into a patch panel and deploy a Ubiquiti switch to manage a backbone? Want to deploy VMs to attack with Kali Linux? Want to set up a SIEM and log data? Want to host a Plex Server on a NAS in Kubernetes? There are many things to do in a home lab, and now that you have the basics of getting things ready, it’s time to start working on it.

Your next step is to use your Google degree and start researching projects. Many great I.T. content creators out there exist and have published guides on how to get things working, and you can use them to set up your labs as well, just as I have. I won’t hold your hand here. While we will occasionally publish blogs that contain specific setups we’ve done and would recommend for many others to try out, much of this learning is designed to be hands-on, and for good reason: it just works.

Get out there, and good luck!