Architecting an Enterprise SOC Foundation using Proxmox VE and Hardened Debian 13 Trixie Nodes

architecting an enterprise soc foundation using proxmox ve and hardened debian 13 trixie nodes solideinfo

If you’re reading this, you’re probably tired of spinning up “test” VMs that leak into production, or you’ve been burned by a flat network where a misconfigured DHCP server takes down the whole lab. I’ve been there. After 20 years in Tier 3 SOCs, I’ve learned that a solid Proxmox VE SOC infrastructure isn’t just about virtualization—it’s about engineering isolation, performance, and repeatability.

This is the first in a three‑part series where we build an enterprise‑grade security operations platform from the bare metal up. We’ll start with the hypervisor and OS layer, move to network visibility with Suricata, and finish with a distributed Wazuh XDR cluster. Every command, every config file, and every architecture diagram is pulled from a live deployment. Let’s get to work.

Why Proxmox? Why Debian 13?

I’ve used VMware, Hyper‑V, and even KVM from scratch. Proxmox sits in the sweet spot: open‑source, enterprise‑ready, and with a web UI that doesn’t make you want to throw your laptop. For SOC work, we need snapshotting, easy backups, and the ability to simulate complex networks without bleeding money.

Sponsored

Debian 13 (Trixie) was chosen because it’s the latest stable release with a modern kernel (6.12.73) that plays nicely with modern hardware and VirtIO drivers. It’s also what we’ll use for all our VM guests—consistency matters.

Let’s look at the physical host we’re building on. This is a Dell PowerEdge with an Intel Xeon Silver 4310 and 15 GB RAM. Plenty for a lab, but we’ll treat it like production.

bash

The host has six network interfaces—two on one controller (nic0/nic1) and four on another (nic2‑nic5). We’ll use one for management (nic2) and one dedicated for SPAN traffic (nic3). The rest are spares.

Network Isolation: VLANs, Bridges, and the SPAN Port

The biggest mistake I see in SOC labs is running everything on a single bridge. That’s fine for learning, but when you’re mirroring production traffic, you want absolute separation. We’ll use two bridges:

  • vmbr0 – management and general VM traffic (connected to nic2)
  • vmbr1 – dedicated SPAN bridge (connected to nic3) that will feed our Suricata sensor.

We also configured a SPAN session on the upstream switch to copy traffic from the core uplink port to port 24, which is physically wired to nic3. No VLAN tagging is involved—the mirror port sends raw Ethernet frames, which is exactly what we want for IDS.

Here’s how the interfaces look after configuration:

Bash

The SPAN bridge has no IP address—it’s a pure passthrough. The VM that will run Suricata will have its capture interface connected to this bridge, also without an IP. That’s how we stay invisible.

Hardening the Hypervisor

Before we create any VMs, we need to lock down Proxmox itself. Debian 13 ships with a fairly tight default configuration, but we’ll go further:

  1. Disable unused services – We’re not running a mail server, so postfix is removed.
  2. Set up firewall rules – Only allow SSH from management VLAN and restrict Proxmox web GUI.
  3. Enable automatic security updates – Because nobody wants to wake up to a zero‑day.

I won’t bore you with a complete STIG checklist, but here’s a snippet of the iptables rules we applied on the host:

bash

We also set net.ipv4.ip_forward=1 because later we might need to route between bridges, but for now it’s just a precaution.

Virtual Machines: Minimal but Purpose‑Built

We’ll deploy four Debian 13 VMs, each with a specific role. I like to keep them lean: 2 vCPUs, 4 GB RAM for the heavy ones, 2 GB for the dashboard. All use VirtIO for disk and network for best performance.

Here’s the inventory we built from the ground up:

RoleVM NameIP AddressvCPURAMDisk
Wazuh Indexerxdr-indexer-0110.0.68.224 GB100 GB
Wazuh Managerxdr-manager-0110.0.155.18324 GB50 GB
Wazuh Dashboardwzh-dash-0110.0.254.23922 GB20 GB
Suricata IDSsrv-ids-0110.0.167.15424 GB50 GB

Each VM gets a static IP via DHCP reservation (or manual config) and is hardened similarly to the host.

The Infrastructure Blueprint

Visualizing the logical separation helps new team members understand the topology. Here’s a Graphviz diagram of our current setup (all VMs on one physical host for now, but ready for HA).

the infrastructure blueprint

The SPAN bridge (vmbr1) is not connected to anything else—it only talks to the Suricata VM’s capture interface. That way, no management traffic leaks onto the mirror port.

Next: From Hypervisor to Network Visibility


Discover more from Solide Info | The Engineer’s Authority on Cyber Defense

Subscribe to get the latest posts sent to your email.