Lab Setup 2 – Architecture

Lab Setup 2 – Architecture

First, get yourself a licence for VMware professional and install it on a dedicated piece of hardware. Whilst your virtual lab could absolutely sit on a PC that has other uses, we want to keep our malware as isolated as possible, so dedicated is the way to go. We’ll call this physical machine our “VM host”. Virtual Machines (VMs) that sit inside this are named “VM guests”.

At a bare minimum you’ll need one VM guest running the operating system that replicates your production environment, e.g. Windows 7. If you need to test against multiple operating systems, application environments and patch levels you’ll need to create multiple guest images. How the VMs connect to the outside world and access external services is where you have a few options.


  • Easy Option – Give the VM direct access to reach the Internet or LAN based systems (via the Host). This is a simple method but has the greatest risk of accidental malware leaks/issues.
  • Complex Option – Create a network of VM guests along with a virtual router firewall inside VMware. This method is more complex but not difficult to set up. It creates multiple layers of segregation and provides fine control of data flows and visibility of network behaviour.

Architecture Diagrams

In the diagrams below we show a simplified network for a production (live) estate, with your servers, laptops and upstream firewall connecting to the Internet. Your virtual lab will be built inside your dedicated virtual host machine. Your AV malware testing virtual server (“Malware Tester 1”) will sit inside the virtual environment as shown below.

The easy option is where most people will (and maybe should) start, but we would recommend you seriously consider the complex option with separation from your production network. This option requires you to have vlan or physical network separation from production traffic, which will mandate more sophistication from your switching / firewall infrastructure. For example, most home routers/firewalls won’t support vlan or network separation, whether you use multiple physical ports on the firewall or one trunked port from a vlan separating switch. Fortunately, all the firewalls from the leading vendors, e.g. Check Point, Palo Alto, Cisco, Juniper, Fortinet, all support network separation between ports or vlans, so if you have access to these then you can achieve strong separation.


Alternatively, if your network infrastructure supports it, (e.g. a managed switch) then you’ll be able to have vlan separation. If all of this network separation stuff is outside of your comfort zone, just stick with having your virtual host on your main production network.

Easy Design Option

  • Virtual Host connected to the production network.
  • Single virtual machine connected to the host for network access.
Simple VM Lab

(Click to enlarge)

Complex Design Option

  • Virtual Host connected to the production network.
  • Virtual Firewall / Router providing network separation inside the virtual environment
  • Multiple virtual machines used
  • Note the green network connection bypassing the production network and connecting directly to the firewall
Complex VM lab

(Click to enlarge)

Complex Design Option With Production Network Separation

  • Virtual Host connected to a DMZ, firewall separated from the production network.
  • Virtual Firewall / Router providing network separation inside the virtual environment
  • Multiple virtual machines used.
Complex Virtual Lab with Firewall

(Click to enlarge)

A Dirty Wifi Connection

A great way to provide some more separation is to make use of a physically separate and disconnected Internet Connection, such as that provided by a cellular WiFi connection. You can achieve this by using a hotspot configuration on your mobile device to broadcast a new Internet connected Wireless network for your VMware host to use. Or you could connect a physical cellular device such as a MiFi device directly into the VMware host. N.B. This will only work on VMware workstation as opposed to ESXi which cannot support wifi and is pretty terrible at supporting USB network adaptors.


By using a separate route out to the Internet, you keep the dirty malware / C&C traffic off your production network.


(Thanks to DJK for suggesting this advice.)

Carl Gottlieb

[email protected]

Carl Gottlieb is the privacy lead and Data Protection Officer for a select group of leading tech companies. Carl’s consultancy company Cognition provides a range of privacy and security services including virtual DPO and virtual CISO.

Heard about GDPR? Want to know more? Check out our sister site at