Access layout looks something like the below: ``` Internet └── Shadowfeed ├<> 10.0.1.0 -- Internal Subnet │   ├<> Core ^   │   ├── Darknet │   │   ├── Foundation │   │   ├── Geth │   │   │ ├── Geth-Hubs │   │   │ ├── Geth-Eyes │   │   │ └── IoT API's │   │   ├── IRC │   │   ├── Maat │   │   ├── Password │   │   ├── Sharingan │   │   ├── Singularity │   │   ├── WolfPack │   │   └── Yggdrasil │   ├<> Nazara │   ├<─ Chromecasts │   └<─ User devices └── 10.0.2.0 -- IoT Subnet    ├── Chamberlain Garage Door    ├── iRobot Housekeeping    └── Nest Thermostat ``` For more details on what runs on what host, look to [AniNIX/Ubiqtorate](/AniNIX/Ubiqtorate), particularly the `playbooks/deploy.yml` file, and the network traffic captured in [AniNIX/Sharingan](https://sharingan.aninix.net/). The general idea here is thus: * 10.0.1.0/24 is the service subnet, with NAT access from Shadowfeed creating a pseudo-secured DMZ for other AniNIX-controlled machines. * SSH and HTTPS access is then filtered through the NAT controls -- typically, traffic passes through Core to ensure the right security headers get set and only the approved applications get accessed. * This also assists in letting Core's network IDS and IPS capture threat data for Sharingan. * It also assists in that we have a central location for WAF and SSL. * 10.0.2.0/24 is the vendor subnet -- machines here get external access but no access to any host not themselves in 10.0.0.0/8. Their DNS is also routed into * Other 10.0.0.0/8 subnets are reserved for testing. Ideally, only the following external ports are open: * 22/tcp/ssh to Core, for read-write access * 443/tcp/https to Core, for read-only access * 6697/tcp/ircs to Core, for communication access * Some external NAT port for bastion access to Nazara.