Wiki/Layouts/Security_Layout.md

This offers a detail of the security hierarchy of the AniNIX, which is layered in the following sections.

# Physical security
Physical security includes storing the [[Forge2]] in a locked second-floor building. [[Cerberus]] offers reporting on events in this location. Admins co-locate with this location and are trained in combat and close quarters defense. Physical intrusions will be rebuffed to the fullest extent of the law.

# Network/Software protection
{{Organizer|Firewall|
{{Organizer|Shadowfeed|
{{Organizer|Trusted DMZ|
{{Reference|DarkNet}}
{{Organizer|Core|
{{Organizer|Cerberus|
{{Organizer|Firewall|
Most of the services in the AniNIX are monitored by network-level intrusion detection
## Open-access Services
{{Reference|WebServer}}{{Reference|TheRaven}}{{Reference|Foundation}}{{Reference|Heartbeat}}
## Password-Restricted Services
{{Reference|IRC}}{{Reference|Wiki}}{{Reference|Yggdrasil}}
## Remote Access
{{Organizer|Cerberus|
The SSH service supports password and key authentication.
{{Reference|SSH}}
|Cerberus}}
}}
|Cerberus}}
|Core}}
{{Organizer|Windows|
{{Organizer|Firewall|
{{Reference|Games}}
}}
|Windows}}
}}
{{Organizer|Guest DMZ|
Any visitors to the AniNIX premises are given access to the outside Internet via the Shadowfeed, but this access is isolated away from AniNIX systems.
}}
|Shadowfeed}}
}}

# Filesystem security
{{Organizer|Forge2|
{{Organizer|Cerberus|
{{Organizer|VirusScan|
The Hypervisor content lives here.
|VirusScan}}
|Cerberus}}
{{Organizer|Core|
{{Organizer|LUKS-on-LVM Volume|
{{Organizer|Cerberus|
{{Organizer|VirusScan|
Most of the data lives inside these layers.
|VirusScan}}
|Cerberus}}
}}
|Core}}
{{Organizer|Windows|
{{Organizer|VirusScan|
The Windows data lives here.
|VirusScan}}
|Windows}}
|Forge2}}

# Backups
[[Windows]] and [[Core]] are backed up locally on mirrored, non-RAID disks. They are also backed up to a 4TB hard drive from the [[Forge2]] to an off site safety deposit box in a bank, making it very difficult to destroy all copies of these hosts.

Should all backups be lost, the [[Aether]] project also backs up Core's critical configuration files and a list of files in [[Yggdrasil]] to an anonymous list of servers. [[Grimoire]]'s databases are independently archived to a password-based tarball and stored in cloud storage.

[[Category:Security]]
[[Category:Layout]]
Imperfect initial commit, but too far to go back 2020-01-02 05:22:16 -06:00			`This offers a detail of the security hierarchy of the AniNIX, which is layered in the following sections.`

			`# Physical security`
			`Physical security includes storing the [[Forge2]] in a locked second-floor building. [[Cerberus]] offers reporting on events in this location. Admins co-locate with this location and are trained in combat and close quarters defense. Physical intrusions will be rebuffed to the fullest extent of the law.`

			`# Network/Software protection`
			`{{Organizer\|Firewall\|`
			`{{Organizer\|Shadowfeed\|`
			`{{Organizer\|Trusted DMZ\|`
			`{{Reference\|DarkNet}}`
			`{{Organizer\|Core\|`
			`{{Organizer\|Cerberus\|`
			`{{Organizer\|Firewall\|`
			`Most of the services in the AniNIX are monitored by network-level intrusion detection`
			`## Open-access Services`
			`{{Reference\|WebServer}}{{Reference\|TheRaven}}{{Reference\|Foundation}}{{Reference\|Heartbeat}}`
			`## Password-Restricted Services`
			`{{Reference\|IRC}}{{Reference\|Wiki}}{{Reference\|Yggdrasil}}`
			`## Remote Access`
			`{{Organizer\|Cerberus\|`
			`The SSH service supports password and key authentication.`
			`{{Reference\|SSH}}`
			`\|Cerberus}}`
			`}}`
			`\|Cerberus}}`
			`\|Core}}`
			`{{Organizer\|Windows\|`
			`{{Organizer\|Firewall\|`
			`{{Reference\|Games}}`
			`}}`
			`\|Windows}}`
			`}}`
			`{{Organizer\|Guest DMZ\|`
			`Any visitors to the AniNIX premises are given access to the outside Internet via the Shadowfeed, but this access is isolated away from AniNIX systems.`
			`}}`
			`\|Shadowfeed}}`
			`}}`

			`# Filesystem security`
			`{{Organizer\|Forge2\|`
			`{{Organizer\|Cerberus\|`
			`{{Organizer\|VirusScan\|`
			`The Hypervisor content lives here.`
			`\|VirusScan}}`
			`\|Cerberus}}`
			`{{Organizer\|Core\|`
			`{{Organizer\|LUKS-on-LVM Volume\|`
			`{{Organizer\|Cerberus\|`
			`{{Organizer\|VirusScan\|`
			`Most of the data lives inside these layers.`
			`\|VirusScan}}`
			`\|Cerberus}}`
			`}}`
			`\|Core}}`
			`{{Organizer\|Windows\|`
			`{{Organizer\|VirusScan\|`
			`The Windows data lives here.`
			`\|VirusScan}}`
			`\|Windows}}`
			`\|Forge2}}`

			`# Backups`
			`[[Windows]] and [[Core]] are backed up locally on mirrored, non-RAID disks. They are also backed up to a 4TB hard drive from the [[Forge2]] to an off site safety deposit box in a bank, making it very difficult to destroy all copies of these hosts.`

			`Should all backups be lost, the [[Aether]] project also backs up Core's critical configuration files and a list of files in [[Yggdrasil]] to an anonymous list of servers. [[Grimoire]]'s databases are independently archived to a password-based tarball and stored in cloud storage.`

			`[[Category:Security]]`
			`[[Category:Layout]]`