40 lines
1.8 KiB
Markdown
40 lines
1.8 KiB
Markdown
|
Access layout looks something like the below:
|
|||
|
|
```
|
|||
|
|
Internet
|
|||
|
|
└── Shadowfeed
|
|||
|
|
├<> 10.0.1.0
|
|||
|
|
│ ├── Core
|
|||
|
|
^ │ ├── Darknet
|
|||
|
|
│ │ ├── Geth-Hub-N
|
|||
|
|
│ │ ├── Maat
|
|||
|
|
│ │ ├── MaatBuilder
|
|||
|
|
│ │ └── Sharingan
|
|||
|
|
│ └── Nazara
|
|||
|
|
├── 10.0.2.0
|
|||
|
|
│ ├── Chamberlain
|
|||
|
|
^ ├── iRobot
|
|||
|
|
│ └── Nest
|
|||
|
|
└── 10.0.3.0
|
|||
|
|
├── Games
|
|||
|
|
├── Tachikoma
|
|||
|
|
└── Tricorder
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
For more details on what runs on what host, look to [AniNIX/Ubiqtorate](/AniNIX/Ubiqtorate), particularly the `playbooks/deploy.yml` file, and the network traffic captured in [AniNIX/Sharingan](https://sharingan.aninix.net/).
|
|||
|
|
|
|||
|
|
The general idea here is thus:
|
|||
|
|
* 10.0.1.0/24 is the service subnet, with NAT access from Shadowfeed creating a pseudo-secured DMZ for other AniNIX-controlled machines.
|
|||
|
|
* SSH and HTTPS access is then filtered through the NAT controls -- typically, traffic passes through Core to ensure the right security headers get set and only the approved applications get accessed.
|
|||
|
|
* This also assists in letting Core's network IDS and IPS capture threat data for Sharingan.
|
|||
|
|
* It also assists in that
|
|||
|
|
* 10.0.2.0/24 is the vendor subnet -- machines here get external access but no access to any host not themselves in 10.0.0.0/8.
|
|||
|
|
* 10.0.3.0/24 is the user subnet -- machines here can access the external world and 10.0.1.0/24 but not 10.0.2.0/24.
|
|||
|
|
|
|||
|
|
Ideally, only the following external ports are open:
|
|||
|
|
* 22/tcp/ssh to Core, for read-write access
|
|||
|
|
* 443/tcp/https to Core, for read-only access
|
|||
|
|
* 6697/tcp/ircs to Core, for communication access
|
|||
|
|
* Some external NAT port for bastion access to Nazara.
|
|||
|
|
|
|||
|
|
This ideal isn't currently met, due to some application limitations, but we're working on it.
|