I know that I want to look at several things in my test lab - FreeBSD servers, Ubuntu servers, Grouper, OpenLDAP, ELK + Kafka, SecurityOnion, CIF and others. To do this, each server needs to be able to communicate with the others. It also means each server may need Internet access to get the specific pieces of software I want to try.
There are a couple of options to accomplish this. I can have multiple network interfaces for each system, so that each server is multi-homed, but that makes it more difficult to look at things like SecurityOnion. The better way is to have each server connected to the same internal network and then let them connect to the Internet through a router. An even better way is to have segmented networks with desktops in one network, internal services in another and external services in another. The best way is to have multiple internal VLANs, similar to a properly segmented network, but I'm not going to go THAT far with VirtualBox...at least, I don't plan on it!
Instead, I'm going to start with a flat network - the type many small businesses will have. Servers and workstations will be in the same IP space, everything will go through an OpenBSD router and the router will send a copy of all Internet traffic to SecurityOnion. It will look like this...
*AHEM* A Small Clarification
One quick note on the router and SecurityOnion systems. The OpenBSD router would have three interfaces - one "internal", one "external" (to the Internet) and one that acts as a "span". The SecurityOnion system would have two interfaces - one for Internet access that sits on the "internal" network and a second to receive "span" traffic from the router. The "span" interface will NOT have an IP address and traffic will NOT be forwarded from one interface to the other.
But Is It Realistic?
This basic setup can scale for most small and medium-sized environments. You may have high availability routers, multiple Internet connections, Bro or Snort clusters and multiple VLANs behind the routers but conceptually the model is the same. Linux and BSD routers perform very well at multi-gig speeds and can perform NAT functions at hundreds of thousands of sessions per second for tens of thousands of devices. OpenBSD with pf and CARP is networking poetry in motion (and something I want to write about this time!). Do not be afraid to experiment!!