Updating diagram

This commit is contained in:
DarkFeather 2022-04-19 11:58:53 -05:00
parent 3218a08c1d
commit 8a339a1255
Signed by: DarkFeather
GPG Key ID: 1CC1E3F4ED06F296
1 changed files with 23 additions and 19 deletions

View File

@ -2,22 +2,28 @@ Access layout looks something like the below:
``` ```
Internet Internet
└── Shadowfeed └── Shadowfeed
<> 10.0.1.0 <> 10.0.1.0 -- Internal Subnet
│   ├── Core │   ├<> Core
^   │   ├── Darknet ^   │   ├── Darknet
│   │   ├── Geth-Hub-N │   │   ├── Foundation
│   │   ├── Geth
│   │   │ ├── Geth-Hubs
│   │   │ ├── Geth-Eyes
│   │   │ └── IoT API's
│   │   ├── IRC
│   │   ├── Maat │   │   ├── Maat
│   │   ├── MaatBuilder │   │   ├── Password
│   │   └── Sharingan │   │   ├── Sharingan
│   └── Nazara │   │   ├── Singularity
├── 10.0.2.0 │   │   ├── WolfPack
│   ├── Chamberlain │   │   └── Yggdrasil
^   ├── iRobot │   ├<> Nazara
│   └── Nest │   ├<─ Chromecasts
└── 10.0.3.0 │   └<─ User devices
├── Games └── 10.0.2.0 -- IoT Subnet
├── Tachikoma    ├── Chamberlain Garage Door
└── Tricorder    ├── iRobot Housekeeping
   └── Nest Thermostat
``` ```
For more details on what runs on what host, look to [AniNIX/Ubiqtorate](/AniNIX/Ubiqtorate), particularly the `playbooks/deploy.yml` file, and the network traffic captured in [AniNIX/Sharingan](https://sharingan.aninix.net/). For more details on what runs on what host, look to [AniNIX/Ubiqtorate](/AniNIX/Ubiqtorate), particularly the `playbooks/deploy.yml` file, and the network traffic captured in [AniNIX/Sharingan](https://sharingan.aninix.net/).
@ -26,14 +32,12 @@ The general idea here is thus:
* 10.0.1.0/24 is the service subnet, with NAT access from Shadowfeed creating a pseudo-secured DMZ for other AniNIX-controlled machines. * 10.0.1.0/24 is the service subnet, with NAT access from Shadowfeed creating a pseudo-secured DMZ for other AniNIX-controlled machines.
* SSH and HTTPS access is then filtered through the NAT controls -- typically, traffic passes through Core to ensure the right security headers get set and only the approved applications get accessed. * SSH and HTTPS access is then filtered through the NAT controls -- typically, traffic passes through Core to ensure the right security headers get set and only the approved applications get accessed.
* This also assists in letting Core's network IDS and IPS capture threat data for Sharingan. * This also assists in letting Core's network IDS and IPS capture threat data for Sharingan.
* It also assists in that * It also assists in that we have a central location for WAF and SSL.
* 10.0.2.0/24 is the vendor subnet -- machines here get external access but no access to any host not themselves in 10.0.0.0/8. * 10.0.2.0/24 is the vendor subnet -- machines here get external access but no access to any host not themselves in 10.0.0.0/8. Their DNS is also routed into
* 10.0.3.0/24 is the user subnet -- machines here can access the external world and 10.0.1.0/24 but not 10.0.2.0/24. * Other 10.0.0.0/8 subnets are reserved for testing.
Ideally, only the following external ports are open: Ideally, only the following external ports are open:
* 22/tcp/ssh to Core, for read-write access * 22/tcp/ssh to Core, for read-write access
* 443/tcp/https to Core, for read-only access * 443/tcp/https to Core, for read-only access
* 6697/tcp/ircs to Core, for communication access * 6697/tcp/ircs to Core, for communication access
* Some external NAT port for bastion access to Nazara. * Some external NAT port for bastion access to Nazara.
This ideal isn't currently met, due to some application limitations, but we're working on it.