Security Onion: Creating a Virtual Lab Environment—Windows 11, 2026
This is an updated version of my original tutorial about how to set up a virtualized lab environment monitored by Security Onion. You can see the original version from 2022, which uses macOS and VMware Fusion Pro, at Security Onion Virtual Lab Tutorial: Introduction (MacOS, 2022).
This series of how-to articles describes how to set up your own virtual lab for information security research using virtual machines (VMs). I am using VMware Workstation Pro, which is a Type 2 hypervisor used for desktop virtualization on host operating systems running Windows.
The centerpiece of the lab is a virtual machine (VM) running Security Onion, which is an open-source network intrusion detection system (NIDS) and network security monitor (NSM). Security Onion uses containers to give users a wide variety of tools that allow for network monitoring and alerting, threat hunting, and more. It utilizes well-known, widely used open-source applications, including:
- Zeek (formerly known as Bro) analyzes traffic on the network, collects metadata about that traffic and logs all of it, making it a powerful tool for network detection and forensics.
- Suricata is a signature-based network intrusion detection system originally developed by the Open Information Security Foundation.
- The ELK stack, for Elasticsearch, Logstash, and Kibana. The ELK stack serves as a security information and event management (SIEM) platform, receiving Security Onion’s log events from Logstash (as well as Filebeat). Elasticsearch is the search and analytics engine. Kibana is a user-interface and visualization tool.
Security Onion is set up to monitor a private network using a network interface card (NIC) that works in promiscuous mode to “sniff” all the traffic traversing the network. In practice this can be done by connecting Security Onion to a SPAN or TAP port. Since I am creating my environment virtually on a Windows desktop, I will need to create some network infrastructure that will allow me to sniff traffic with Security Onion.
The basic components of my virtual lab will be:
- A virtual machine running OPNsense, an open-source firewall and networking platform. I will use the OPNsense VM as a virtual router to create isolated virtual networks within VMware Workstation Pro, including a local area network (LAN) that the other lab virtual machines will connect to. OPNsense provides the LAN so that these virtual machines can talk to each other, and it can also connect them to the wide area network (WAN), or public internet, for things like updates. Using OPNsense also gives me the ability to connect Security Onion to the LAN and sniff traffic.
- A virtual machine running Security Onion. This tutorial will go over how to set up a Security Onion deployment that monitors the virtual lab and some basics on what Security Onion does and how to use it.
- A Kali Linux virtual machine. I’m going to use Kali to manage the OPNsense router. But the primary use of Kali Linux is for penetration testing and other security research, so I will also be using Kali to reconnoiter and attack other virtual machines on the network, generating traffic that Security Onion will identify as malicious.
- Target virtual machines. I will start with Metasploitable 3 VMs running both Ubuntu and Windows Server 2008. I may also use Metasploitable 2. These are virtual machines that intentionally include many security vulnerabilities that can be exploited with tools in Kali such as Metasploit.
Overview
This set of how-to articles will make up a tutorial on everything I needed to do to create a Security Onion-monitored virtual lab on a Windows computer. Just that part itself is a considerable amount of work… and it doesn’t always work for me. I think the articles provide good lessons on a variety of skills needed to administer virtual machines, manage a network, and more. Here’s what the first articles will cover:
-
Prepare OPNsense and Security Onion Installation Media: Instructions on downloading and validating OPNsense and Security Onion and preparing them for installation in VMware Fusion Pro.
- Note: Installation instructions for other VMs, like Kali or Metasploitable, are out of scope for this tutorial, but I hope to come back and cover them later.
- Create VMware Private Virtual Networks for the Security Onion Environment: Create private virtual networks within VMware Fusion Pro.
- Create the OPNsense Virtual Machine: Create a virtual machine where you will install and configure OPNsense.
- Configure the OPNsense Virtual Machine: Set up OPNsense and use it to create the routing capabilities you need for your private virtual networks.
- Create the Security Onion Virtual Machine: Create a virtual machine where you will install and configure Security Onion.
- Configure the Security Onion Virtual Machine: Walk through Security Onion’s installation wizard to deploy the tool.
Prerequisites
This tutorial requires you to have some familiarity with and knowledge of desktop virtualization and the Linux and Windows command lines. I created the virtual lab for this tutorial using:
- Host Computer: A Lenovo ThinkStation P520 running Windows 11. At the time of writing, my ThinkStation has 64GB of RAM, which is a lot, but perhaps not enough to do this right. I’ve been exploring Security Onion since late 2020, and over that time its architecture has changed a lot. Depending on the deployment type, Security Onion has a minimum RAM requirement of as much as 24GB, so a virtual lab running Security Onion and the other VMs (OPNsense, Kali, Metasploitable) will be slow if your host machine running the VMs does not have the processor power and RAM.
-
Virtualization Platform: VMware Workstation Pro, a Type 2 hypervisor for Windows. When I started using virtual machines at home, I tried VirtualBox, which is free, and Parallels, which I paid for. I’ve had lots of problems with both. That could be my fault. But the $199 I paid for VMware Fusion Pro for my Mac was definitely worth it. VMs I create on Fusion Pro on a Mac or on Workstation Pro on a PC work so much faster and more reliably for me.
I started using VMware Fusion Pro for Mac in 2020, and have also used more professional-grade VMware virtualization products in the workplace. VMware generally set the standard for virtualization. Since its acquisition by Broadcom peoples’ opinions have been changing about the VMware products, although both Workstation Pro and Fusion Pro are now free. I’m not sure what I think; the situation is certainly evolving.
- Command-line Interface: I use Windows PowerShell as my command-line interface on the Windows host machine.
- Web Browser: You will also need a web browser, both on the host operating system and in at least one of the VMs connected to the lab. I typically use Firefox.
I use angle brackets (< and >) to enclose placeholder text for filenames, paths, URLs, software versions, or anything where the value may be different for you than it is for me.