Implementing Network Policies and Managing Restrictions for Lab Environments
- 06 Sep 2024
- 3 Minutes to read
- Print
Implementing Network Policies and Managing Restrictions for Lab Environments
- Updated on 06 Sep 2024
- 3 Minutes to read
- Print
Article summary
Did you find this summary helpful?
Thank you for your feedback
Lab environments are essential for technical training, but they also pose various challenges in terms of network security and stability. To address these challenges, Skillable offers different network options for labs hosted on Hyper-V or ESX Virtualization Platforms, each with its own policies and restrictions. This document explains how to choose and configure the best network option for your lab needs, and what to consider when using Skillable's environments.
Overview of Network Types
Lab environments hosted on Hyper-V or ESX virtualization platforms utilize Skillable's on-premise environments. As part of standard network management we utilize monitoring and filtering technology to ensure network stability and security. Three separate networks are available for use:
WebNet - This is default network when internet access is required. Labs on WebNet launch with a unique NAT gateway that provides routing and network isolation.
SecureNet - This network is a more secure version of WebNet used for labs that are at greater risk of abuse. SecureNet networks have firewall restrictions and rules in place to reduce the impact of abuse.
Lab Profiles are assigned to a SecureNet network when an Access Control List (ACL) with the Use Secure Network option checked is enabled, is attached to the Lab Profile. Accessing Secure networks requires permissions on your user account. If you are unable to access secure networks, please reach out to our Support team for assistance.
CustomerNet - This network is for labs that require direct Public IP access. It is available upon request.
Network Policies and Restrictions
The policies and restrictions below do not apply to CustomerNet unless otherwise stated
Networks utilize industry standard filtering rules provided by our firewall vendor. Application control, Web Filtering, IPS Monitoring, Antivirus and DDoS prevention rules are all utilized.
In general, illegal content is prohibited, as are sites that are generally unrelated to the goals of technical training. Antivirus, IPS Monitoring and DDoS prevention rules apply to all networks including CustomerNet.
Updates to filtering rules are applied regularly. For information on a specific application, please see Fortigate's documentation:
Application Control | Web Filtering | IPS Monitoring
Application Control
Blocked Categories:
Proxy
Storage and Backup
Google Drive, OneDrive, and Dropbox are allowed on WebNet
Games
Remote Access and VPN
Any service that establishes a secure tunnel will be blocked.
P2P
Social Media
Audio/Video Streams
Unknown or Anomalous Applications
When building a lab, please verify the function of all services needed. If a specific service is required for a lab environment and does not function, or if the lab uses a service classified as a proxy, please contact support.
Web Filtering
Blocked Categories:
Potentially Liable
Adult/Mature Content
Bandwidth Consuming
WebNet allows the subcategories "Internet Telephony" and "File Sharing and Storage" and "Freeware and Software Downloads"
Security Risk
General Interest - Personal
Exceptions to General Interest - Personal are as follows:
Advertising | Digital Postcards | Entertainment | Restaurant and Dining | Web Based Email (WebNet only) |
Arts and Culture | Domain Parking | News and Media | Society and Lifestyles | |
Brokerage and Trading | Dynamic Content | Personal Websites and Blogs | Sports | |
Content Servers | Education | Reference | Travel |
Additional Restrictions
On all networks, including CustomerNet, the following services are prohibited:
FTP/TFPT inbound
LDAP inbound
RDP inbound
SMB inbound
SMTP outbound
SSH inbound
TELNET inbound
On the CustomerNet network, labs must follow additional configuration restrictions. Any lab not following these restrictions may be updated by Skillable to bring it into compliance or removed from availability until changes are made.
Any DNS server with a public IP must have DNS recursion disabled. For details on how to do this, please refer to the documentation for your virtual machine operating system.
Lab profiles with public IP addresses cannot specify ethernet (MAC) addresses enabled on their network adapters.
On the SecureNet network, labs must follow additional configuration restrictions. If these restrictions are not followed, web access will not function reliably. For more information, refer to the Access Control Lists documentation.
For labs without an internal DNS server, all virtual machines should use the NAT gateway for their DNS server (this is automatic if DHCP is enabled for the NAT network)
For labs with an internal DNS server, the internal server should have a forwarder added for the NAT gateway
Bandwidth
Bandwidth on all networks is regulated and monitored, utilizing per-IP and per-network restrictions. This is done to ensure platform stability and provide a minimum baseline to all labs. Due to the shared nature of the platform, it is strongly recommended that any downloads in a lab be pre-staged to prevent issues or delays in a live class.
All information in this document is regularly maintained and updated, but does not represent a guarantee. Network policies and restrictions may change at any time due to the constantly evolving nature of network security. If you have any questions, feedback, or concerns, please contact support.
Was this article helpful?