Updating diagram

1 year ago · 8a339a1255
parent 3218a08c1d
commit 8a339a1255
1 changed files with 23 additions and 19 deletions
--- a/Layouts/Diagrams.md
+++ b/Layouts/Diagrams.md
@ -2,22 +2,28 @@ Access layout looks something like the below:
 ```
 Internet
 └── Shadowfeed
-    ├<> 10.0.1.0
-    │   ├── Core
+    ├<> 10.0.1.0 -- Internal Subnet
+    │   ├<> Core
    ^   │   ├── Darknet
-    │   │   ├── Geth-Hub-N
+    │   │   ├── Foundation
+    │   │   ├── Geth
+    │   │   │   ├── Geth-Hubs
+    │   │   │   ├── Geth-Eyes
+    │   │   │   └── IoT API's
+    │   │   ├── IRC
    │   │   ├── Maat
-    │   │   ├── MaatBuilder
-    │   │   └── Sharingan
-    │   └── Nazara
-    ├── 10.0.2.0
-    │   ├── Chamberlain
-    ^   ├── iRobot
-    │   └── Nest
-    └── 10.0.3.0
-        ├── Games
-        ├── Tachikoma
-        └── Tricorder
+    │   │   ├── Password
+    │   │   ├── Sharingan
+    │   │   ├── Singularity
+    │   │   ├── WolfPack
+    │   │   └── Yggdrasil
+    │   ├<> Nazara
+    │   ├<─ Chromecasts
+    │   └<─ User devices 
+    └── 10.0.2.0 -- IoT Subnet
+        ├── Chamberlain Garage Door
+        ├── iRobot Housekeeping
+        └── Nest Thermostat
 ```

 For more details on what runs on what host, look to [AniNIX/Ubiqtorate](/AniNIX/Ubiqtorate), particularly the `playbooks/deploy.yml` file, and the network traffic captured in [AniNIX/Sharingan](https://sharingan.aninix.net/).
@ -26,14 +32,12 @@ The general idea here is thus:
 * 10.0.1.0/24 is the service subnet, with NAT access from Shadowfeed creating a pseudo-secured DMZ for other AniNIX-controlled machines. 
  * SSH and HTTPS access is then filtered through the NAT controls -- typically, traffic passes through Core to ensure the right security headers get set and only the approved applications get accessed. 
  * This also assists in letting Core's network IDS and IPS capture threat data for Sharingan.
-  * It also assists in that 
-* 10.0.2.0/24 is the vendor subnet -- machines here get external access but no access to any host not themselves in 10.0.0.0/8.
-* 10.0.3.0/24 is the user subnet -- machines here can access the external world and 10.0.1.0/24 but not 10.0.2.0/24.
+  * It also assists in that we have a central location for WAF and SSL.
+* 10.0.2.0/24 is the vendor subnet -- machines here get external access but no access to any host not themselves in 10.0.0.0/8. Their DNS is also routed into
+* Other 10.0.0.0/8 subnets are reserved for testing.

 Ideally, only the following external ports are open: 
 * 22/tcp/ssh to Core, for read-write access
 * 443/tcp/https to Core, for read-only access
 * 6697/tcp/ircs to Core, for communication access
 * Some external NAT port for bastion access to Nazara.
-
-This ideal isn't currently met, due to some application limitations, but we're working on it.