Classroom Glossary Public page

Lab 3: Isolated Lab Network

1,175 words

~3 hr. Build the documented isolated lab network. Produce the network diagram, the per-session authorization log template, and the customized scope-limit document. Establish the lab portfolio infrastructure all subsequent labs depend on.

Goal: ship three artifacts: lab-3-network-diagram.md (the diagram + isolation-verification evidence), lab-portfolio-template.md (the running session log; will be appended to from Lab 4 onward), and scope-limit.md (the cohort-specific scope-limit document signed at the end of the lab).

Estimated time: ~3 hr (1 hr diagram; 1 hr portfolio + scope-limit drafting; 1 hr instructor counter-sign meeting).

Prerequisites: Week 3 lecture. Lab 2 complete. Cohort cyber-use authorization signed by student; instructor counter-signature pending Lab 3 completion.

Authorization line: Lab 3 has no hardware-touching action; the lab is paperwork + verification + signature. Authorization line for the lab notebook:

Lab 3 session, 2026-MM-DD HH:MM. Lab-network documentation + scope-limit drafting + 
instructor counter-sign meeting. No hardware actions; no tool runs; no traffic generated
beyond the isolation-verification ping.

Setup

mkdir -p ~/adv-101/lab-3
cd ~/adv-101/lab-3

Have ready:

  • The SB6141 unit (powered off is fine; you do not need it running for Lab 3)
  • Your Ethernet cable
  • The signed cohort cyber-use authorization document (the version with your signature; instructor counter-signature comes at lab close)

Part A: Build the network diagram (~45 min)

Draw your lab network. Use mermaid syntax for portability (GitHub renders it natively):

lab-3-network-diagram.md:

# Lab 3: Isolated Lab Network Diagram

## Topology

```mermaid
flowchart LR
    subgraph isolated["Isolated lab network (no upstream connection)"]
        laptop["Student laptop<br/>IP: 192.168.100.2<br/>OS: <your OS>"]
        modem["SB6141 modem<br/>IP: 192.168.100.1<br/>Serial: <your unit serial>"]
        laptop -- "Ethernet<br/>(via USB-Ethernet adapter)" --- modem
    end
    
    nointernet["Public Internet<br/>(NO CONNECTION)"]
    isolated -.- nointernet

Isolation verification

# From the lab laptop, with the lab Ethernet active:

ping -c 3 192.168.100.1    # SUCCESS expected (lab modem reachable)
ping -c 3 8.8.8.8           # FAILURE expected (no upstream Internet route)
ping -c 3 google.com        # FAILURE expected (no DNS via lab network)

Output captured 2026-MM-DD HH:MM (paste actual output from your terminal):

$ ping -c 3 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.521 ms
...

$ ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
ping: connect: Network is unreachable

$ ping -c 3 google.com
ping: google.com: Temporary failure in name resolution

(Substitute your actual output.)

Components in scope

Component Identifier Notes
Lab laptop ; OS ; Ethernet MAC Test client
USB-Ethernet adapter <vendor + model> Only Ethernet interface used during lab work
Ethernet cable <length / brand> Direct connection laptop -> SB6141
SB6141 modem Serial ; firmware version The lab target

Components explicitly OUT of scope

  • Public Internet (no upstream connection from lab network)
  • Wi-Fi (disabled on laptop during lab sessions)
  • Any other device on any other network (home network, office network, public Wi-Fi)
  • Any other cable modem (only the documented SB6141 unit)
(Customize all the bracketed fields with your actual values.)

---

## Part B: Build the lab-portfolio template (~45 min)

The lab portfolio is one file that grows across the course; Lab 3 creates the template that subsequent labs fill in.

`~/adv-101/lab-portfolio.md`:

```markdown
# Lab Portfolio, ADV-101, Cohort <cohort name>

Student: <your name>
Cohort: <cohort identifier>
Authorization filed: 2026-MM-DD (student signature); 2026-MM-DD (instructor counter-signature)
Authorization expiry: end of capstone defense (Week 13 final session)

---

## Authorization basis

This portfolio documents work conducted under the academy's cohort cyber-use authorization
document, signed by the student and counter-signed by the instructor. The authorization
covers:

- Lab target: the academy-provided or self-purchased Motorola SURFboard SB6141 cable modem
  (serial number <X>; firmware version <Y>) on the documented isolated lab network
- Time window: 2026-MM-DD through 2026-MM-DD (end of capstone defense)
- Scope: reproduction of known SB6141 CVEs; development of testing tools per the ADV-101
  curriculum; documentation of findings in the academy's lab-portfolio format
- Negative scope: see `scope-limit.md` for the explicit out-of-bounds list

The authorization document itself is on file with the academy's cohort records. This
portfolio is the per-session audit trail.

---

## Per-session log

Each lab session adds an entry below. Format:

Lab N session, YYYY-MM-DD HH:MM

Target: <device / scope> Action: <what was done; reference the lab spec> Authorization basis: per signed cohort authorization filed YYYY-MM-DD Session duration: HH:MM start; HH:MM end (~Xh) Artifacts produced: <files; commits> Incidents: <none; or any unexpected behavior>

---

### Lab 1 session, 2026-MM-DD HH:MM (paper-only)

**Target:** none (annotation of public CVE record VU#419568)
**Action:** annotated VU#419568 per Lab 1 spec; produced reproducing-researcher checklist
**Authorization basis:** lab is paper-only; no hardware contact
**Session duration:** ~3h
**Artifacts produced:** `lab-1/lab-1-annotation.md`
**Incidents:** none

### Lab 2 session, 2026-MM-DD HH:MM

**Target:** SB6141 unit serial <X>; isolated lab network
**Action:** reproduced VU#419568 CSRF via Burp Suite capture + `curl` reproduction +
HTML proof-of-concept cross-origin demonstration
**Authorization basis:** per signed cohort authorization (filed 2026-MM-DD, instructor
counter-signature pending Lab 3)
**Session duration:** ~3h
**Artifacts produced:** `lab-2/lab-2-reproduction.md`; `lab-2-burp-history.xml`;
`csrf-demo.html`
**Incidents:** none (modem reset and recovered twice; reconfigured laptop static IP after
each reset)

### Lab 3 session, 2026-MM-DD HH:MM

**Target:** documentation; no hardware action
**Action:** built network diagram; drafted lab-portfolio template; drafted scope-limit;
met with instructor for counter-signature
**Authorization basis:** documentation lab; no traffic generated beyond isolation-
verification pings (which are explicitly within scope)
**Session duration:** ~3h
**Artifacts produced:** `lab-3/lab-3-network-diagram.md`; `lab-portfolio.md` (this file);
`lab-3/scope-limit.md`
**Incidents:** none

The portfolio is single-file; subsequent labs (Lab 4 through capstone) append entries here. Do not split into per-lab files; the single rolling log is the document the academy reads at midterm and capstone defense.

Part C: Customize the scope-limit document (~45 min)

The academy provides a standard scope-limit template (the instructor distributes the text version). Lab 3 customizes it for the specific cohort:

scope-limit.md:

# Scope-Limit, ADV-101 Cohort <cohort name>

Effective: <signature date>
Expiry: end of capstone defense (Week 13 final session)
Student: <your name>
Instructor: <instructor name>

---

## In scope

The following activities are authorized under the cohort cyber-use authorization:

1. **Reproduction of known SB6141 CVEs** on the academy-provided or self-purchased SB6141
   unit identified by serial number <X>, conducted on the documented isolated lab network
   (see `lab-3-network-diagram.md`).
2. **Development of testing tools** per the ADV-101 curriculum (Tool v0.1 through v1.0;
   capstone). Tool development includes argparse, logging, fingerprinting, dry-run mode,
   structured logs, idempotency, rollback. Tool development specifically EXCLUDES
   weaponized exploit payloads.
3. **Documentation of findings** in the academy's lab-portfolio format. Documentation may
   include CVSS scoring, CVD-style disclosure drafts, ethics-statement reflection.
4. **Use of network-isolation and traffic-capture tooling** (Burp Suite, `curl`, `tcpdump`)
   strictly within the isolated lab network.

## Out of scope (explicit)

The following activities are explicitly NOT authorized under this scope; performing them
during the cohort exits this scope and may constitute unauthorized access under CFAA §1030
or equivalent state-law statutes:

1. **Testing any device the student does not personally own and have written authorization
   to test.** This includes home routers, friends' devices, employer-owned hardware,
   public-network equipment.
2. **Testing the academy-provided SB6141 unit outside the documented isolated lab
   network.** Connecting the unit to a live cable provider, to a home network, or to any
   shared network exits scope.
3. **Developing weaponized exploit payloads.** The ADV-101 tool sequence stops at
   "demonstrate the destructive endpoint is reachable"; chaining into post-exploitation,
   persistence, or any further attacker capability is out of scope.
4. **Selling, sharing, or publishing tools or transcripts outside the cohort** without
   prior written instructor approval. Transcripts and tools are cohort material; sharing
   broadly requires academy sign-off.
5. **Testing CVE-2026-5402** (the Wireshark TLS ECH integer-truncation arc) **outside the
   capstone-arc handout context.** This CVE has a dedicated capstone arc with its own
   isolated Docker harness; ad-hoc testing is out of scope for the standard ADV-101
   coursework.
6. **Any activity not enumerated in the In Scope section above.** If a situation arises
   where the activity is ambiguous, the discipline is to stop, document the question, and
   ask the instructor. Acting first and asking later is not acceptable.

## Incident reporting

If at any time during the cohort the student notices they may have operated outside this
scope (intentionally or accidentally), the student must:

1. Stop the activity immediately
2. Document the incident in the lab portfolio (date, time, what happened, what action was
   taken to stop it)
3. Notify the instructor within 24 hours

Incidents reported in good faith are reviewed; they are not automatic dismissals. Incidents
discovered AFTER the fact (without student report) are treated more seriously.

## Signatures

Student: <your name>; signed 2026-MM-DD
Instructor: <instructor name>; counter-signed 2026-MM-DD

---

*This scope-limit document is referenced by the per-session authorization line in
`lab-portfolio.md` and is on file with the academy's cohort records.*

Part D: Instructor counter-signature meeting (~30 min)

Bring to the instructor's office (or video call):

  • Your lab-3-network-diagram.md (printed or shown on screen)
  • Your lab-portfolio.md (with Lab 1 + Lab 2 + Lab 3 sessions logged)
  • Your scope-limit.md (customized with your name + instructor name + dates)
  • Your physical SB6141 unit serial (for the instructor to verify against academy records if it is a checked-out unit)

The instructor:

  1. Inspects the network diagram; verifies the isolation evidence
  2. Reads the scope-limit; confirms the negative-scope list matches the cohort norm
  3. Counter-signs the scope-limit document (paper or digital)
  4. Counter-signs the cohort cyber-use authorization document (the academy's master copy)
  5. Approves the lab portfolio for ongoing use

The counter-signature is the gate to Lab 4 (the first tool-running lab). Without instructor counter-signature, Lab 4 does not proceed.

Part E: Commit your work (~15 min)

cd ~/adv-101/lab-3
git add lab-3-network-diagram.md scope-limit.md
git add ../lab-portfolio.md
git commit -m "Lab 3: isolated lab network documented; scope-limit drafted; instructor counter-signature on cyber-use authorization"

The portfolio file lives at ~/adv-101/lab-portfolio.md (not inside lab-3/); commit it from there with git add ../lab-portfolio.md from the lab subdir, or git add lab-portfolio.md from ~/adv-101/.

Expected output / artifact

Three documents:

  1. ~/adv-101/lab-3/lab-3-network-diagram.md: mermaid diagram + isolation-verification ping output + components-in-scope and out-of-scope tables.
  2. ~/adv-101/lab-portfolio.md (NEW; lives at the top of the repo): per-session log with Lab 1, Lab 2, Lab 3 entries.
  3. ~/adv-101/lab-3/scope-limit.md: customized scope-limit document with student signature + instructor counter-signature.

All committed. Instructor counter-signature on the academy's cyber-use authorization document is the lab-close gate.

What's the failure mode?

This lab's likely failure modes:

  1. Network isolation not actually verified. A laptop with Wi-Fi enabled and an Ethernet link to the SB6141 may route some traffic through Wi-Fi (depending on metric / OS preferences). The ping 8.8.8.8 test catches this; do not skip it. If ping 8.8.8.8 succeeds, your laptop has an Internet path; disable Wi-Fi or fix routing before proceeding.
  2. Portfolio file in the wrong location. The portfolio lives at ~/adv-101/lab-portfolio.md, not inside any per-lab directory. Subsequent labs append to it from that path.
  3. Scope-limit document with vague negative scope. "I won't do anything wrong" is not negative scope; it is wishful thinking. The negative scope must enumerate specific activities and specific devices.
  4. Skipping the instructor counter-signature meeting. Lab 4 does not proceed without counter-signature. The meeting is non-optional.

Common pitfalls

  • Treating the diagram as cosmetic. The diagram is the artifact a reviewer reads BEFORE the technical artifacts. A clean diagram with explicit isolation builds credibility for everything downstream.
  • Negative scope by exception. "I won't do anything except X, Y, Z" is the wrong default. The right default is "I will do only the things explicitly listed in the In Scope section; everything else is out of scope by absence." The Out of Scope section enumerates the most-likely temptations, not the entire negative space.
  • Treating the per-session log as bureaucratic. A per-session log that is genuine (timestamps match wall clock; observations match what happened) takes 3 minutes per session and protects you for the rest of your career. A per-session log that is reverse-engineered post-hoc is worse than no log because it implies dishonesty.
  • Late instructor counter-signature. Schedule the meeting at the START of Lab 3, not the end. If the meeting slips to Week 4 or later, your authorization is effectively pending and Lab 4's tool-running is technically outside scope.

What would a reviewer ask?

  1. "Walk me through your network diagram. What is the isolation boundary?"
  2. "Show me a sample per-session log entry. Does the format match the academy's standard?"
  3. "Your scope-limit document forbids testing CVE-2026-5402 outside the capstone-arc context. Why that specific exclusion?"

Stretch (optional)

  1. Build a second network diagram for the capstone work. The capstone may involve additional tooling (a dedicated test workstation for running pytest against Tool v1.0; a separate VM for the disclosure-report drafting). Sketch the diagram for Week 12-13 now; revise after Week 11 workshop.
  2. Cohort-level negative-scope normalization. Compare your scope-limit.md with two peers'. Where do they diverge? Discuss; agree on a cohort-wide negative scope where divergence is not justified by individual circumstance.
  3. Read NIST SP 800-115 §5 (post-engagement) for the reporting-phase requirements. The ADV-101 capstone's disclosure report inherits some structural points from this section; preview now to inform Week 9.

Lab 3 v0.1.