Project Overview

Designed and operated a segmented cybersecurity lab for detection engineering, centralized telemetry collection, controlled security testing, and SOC-style investigation practice. The environment separated attacker, victim, management, and monitoring systems using Cisco ASA firewalling, VLANs, ACLs, NAT, and managed switching.

Employer Relevance

Why This Project Matters

This project demonstrates practical infrastructure, troubleshooting, and security operations skills that apply directly to network support, NOC, SOC analyst, systems support, and junior security engineering roles.

  • Designed segmented lab infrastructure using firewall rules, NAT, VLAN-aware networking, and controlled traffic paths.
  • Built and maintained Windows, Linux, attacker, victim, and SIEM systems in a repeatable virtualized environment.
  • Used the lab to support security telemetry, authentication-event analysis, detection workflows, and hands-on investigation practice.
FergSec cybersecurity home lab topology showing Cisco ASA segmentation, Wazuh Manager, Windows Server domain controller, Windows 10 victim host, Kali Linux attacker machine, and SOC analyst laptop.
FergSec home lab topology: Cisco ASA segmentation, Wazuh SIEM, Windows Server 2019 Active Directory, Kali Linux, and Windows/Linux lab systems.

Architecture

The lab used Proxmox VE to host Windows and Linux systems supporting both offensive and defensive workflows.

  • Cisco ASA and managed switching: Enforced network segmentation, access controls, NAT, and traffic isolation between lab zones.
  • Windows Server 2019 Active Directory: Provided centralized identity, authentication, user administration, and domain services.
  • Windows and Linux endpoints: Generated authentication, process, system, and security telemetry for investigation.
  • Wazuh and Sysmon: Collected and centralized endpoint activity for alert review, threat hunting, and rule tuning.
  • Kali Linux: Provided a controlled offensive-security platform for network discovery and planned detection-validation exercises.

Security Engineering Work

  • Configured Wazuh agents and Sysmon telemetry across Windows and Linux systems.
  • Centralized authentication, process, system, and security-event data for analyst review.
  • Tuned detection rules and triaged alerts to distinguish meaningful activity from low-value background noise.
  • Administered firewall rules, network segmentation, NAT, and communication between attacker, victim, monitoring, and management systems.
  • Reviewed collected telemetry and adjusted logging and detection logic where visibility was insufficient.

Only limited attack-simulation and detection-validation scenarios were completed before the original physical environment was decommissioned due to hardware failure. My ASA and one of my laptops took a page out of Chuck Norris's playbook and yeeted themselves out of this life. So I pivoted to the cloud.

What This Project Demonstrates

  • Network segmentation and firewall administration
  • Windows and Linux systems administration
  • Active Directory infrastructure support
  • SIEM deployment and telemetry management
  • Sysmon configuration and endpoint visibility
  • Detection-rule tuning and alert-noise reduction
  • Alert triage and security investigation
  • Technical documentation and remediation planning

Evidence and Project Artifacts

  • Network topology and trust-zone diagram
  • Cisco ASA ACL and NAT configuration examples
  • Proxmox virtual-machine inventory
  • Windows Server Active Directory configuration
  • Wazuh and Sysmon telemetry screenshots
  • Technical article and implementation documentation

Lessons Learned

This lab taught me how much security operations depends on boring-but-critical infrastructure fundamentals: routing, firewall behavior, authentication, log collection, endpoint visibility, and disciplined troubleshooting. The value of this project is not just that the lab exists. The value is that it shows I can plan infrastructure, deploy systems, troubleshoot failures, document architecture, and use the environment to support security monitoring and hands-on investigation.

Originally Planned Expansion

  • pfSense: Rebuilt routing, firewall segmentation, NAT, and controlled communication between lab networks.
  • Security Onion: IDS monitoring and full-packet visibility when sufficient hardware resources are available.
  • Velociraptor: Endpoint forensics, artifact collection, and live-response testing.
  • Detection-validation case studies: Documented test activity, collected telemetry, observed results, tuning changes, and retest outcomes.