From 8a339a1255813f2365dab02f7b35a9e67d936d01 Mon Sep 17 00:00:00 2001 From: DarkFeather Date: Tue, 19 Apr 2022 11:58:53 -0500 Subject: [PATCH] Updating diagram --- Layouts/Diagrams.md | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/Layouts/Diagrams.md b/Layouts/Diagrams.md index 0babb04..b4c4028 100644 --- a/Layouts/Diagrams.md +++ b/Layouts/Diagrams.md @@ -2,22 +2,28 @@ Access layout looks something like the below: ``` Internet └── Shadowfeed - ├<> 10.0.1.0 - │   ├── Core + ├<> 10.0.1.0 -- Internal Subnet + │   ├<> Core ^   │   ├── Darknet - │   │   ├── Geth-Hub-N + │   │   ├── Foundation + │   │   ├── Geth + │   │   │ ├── Geth-Hubs + │   │   │ ├── Geth-Eyes + │   │   │ └── IoT API's + │   │   ├── IRC │   │   ├── Maat - │   │   ├── MaatBuilder - │   │   └── Sharingan - │   └── Nazara - ├── 10.0.2.0 - │   ├── Chamberlain - ^   ├── iRobot - │   └── Nest - └── 10.0.3.0 - ├── Games - ├── Tachikoma - └── Tricorder + │   │   ├── Password + │   │   ├── Sharingan + │   │   ├── Singularity + │   │   ├── WolfPack + │   │   └── Yggdrasil + │   ├<> Nazara + │   ├<─ Chromecasts + │   └<─ User devices + └── 10.0.2.0 -- IoT Subnet +    ├── Chamberlain Garage Door +    ├── iRobot Housekeeping +    └── Nest Thermostat ``` For more details on what runs on what host, look to [AniNIX/Ubiqtorate](/AniNIX/Ubiqtorate), particularly the `playbooks/deploy.yml` file, and the network traffic captured in [AniNIX/Sharingan](https://sharingan.aninix.net/). @@ -26,14 +32,12 @@ The general idea here is thus: * 10.0.1.0/24 is the service subnet, with NAT access from Shadowfeed creating a pseudo-secured DMZ for other AniNIX-controlled machines. * SSH and HTTPS access is then filtered through the NAT controls -- typically, traffic passes through Core to ensure the right security headers get set and only the approved applications get accessed. * This also assists in letting Core's network IDS and IPS capture threat data for Sharingan. - * It also assists in that -* 10.0.2.0/24 is the vendor subnet -- machines here get external access but no access to any host not themselves in 10.0.0.0/8. -* 10.0.3.0/24 is the user subnet -- machines here can access the external world and 10.0.1.0/24 but not 10.0.2.0/24. + * It also assists in that we have a central location for WAF and SSL. +* 10.0.2.0/24 is the vendor subnet -- machines here get external access but no access to any host not themselves in 10.0.0.0/8. Their DNS is also routed into +* Other 10.0.0.0/8 subnets are reserved for testing. Ideally, only the following external ports are open: * 22/tcp/ssh to Core, for read-write access * 443/tcp/https to Core, for read-only access * 6697/tcp/ircs to Core, for communication access * Some external NAT port for bastion access to Nazara. - -This ideal isn't currently met, due to some application limitations, but we're working on it.