Wiki/Layouts/Diagrams.md
2022-04-19 11:58:53 -05:00

2.1 KiB

Access layout looks something like the below:

Internet
└── Shadowfeed
    ├<> 10.0.1.0 -- Internal Subnet
    │   ├<> Core
    ^   │   ├── Darknet
    │   │   ├── Foundation
    │   │   ├── Geth
    │   │   │   ├── Geth-Hubs
    │   │   │   ├── Geth-Eyes
    │   │   │   └── IoT API's
    │   │   ├── IRC
    │   │   ├── Maat
    │   │   ├── Password
    │   │   ├── Sharingan
    │   │   ├── Singularity
    │   │   ├── WolfPack
    │   │   └── Yggdrasil
    │   ├<> Nazara
    │   ├<─ Chromecasts
    │   └<─ User devices 
    └── 10.0.2.0 -- IoT Subnet
        ├── Chamberlain Garage Door
        ├── iRobot Housekeeping
        └── Nest Thermostat

For more details on what runs on what host, look to AniNIX/Ubiqtorate, particularly the playbooks/deploy.yml file, and the network traffic captured in AniNIX/Sharingan.

The general idea here is thus:

  • 10.0.1.0/24 is the service subnet, with NAT access from Shadowfeed creating a pseudo-secured DMZ for other AniNIX-controlled machines.
    • SSH and HTTPS access is then filtered through the NAT controls -- typically, traffic passes through Core to ensure the right security headers get set and only the approved applications get accessed.
    • This also assists in letting Core's network IDS and IPS capture threat data for Sharingan.
    • It also assists in that we have a central location for WAF and SSL.
  • 10.0.2.0/24 is the vendor subnet -- machines here get external access but no access to any host not themselves in 10.0.0.0/8. Their DNS is also routed into
  • Other 10.0.0.0/8 subnets are reserved for testing.

Ideally, only the following external ports are open:

  • 22/tcp/ssh to Core, for read-write access
  • 443/tcp/https to Core, for read-only access
  • 6697/tcp/ircs to Core, for communication access
  • Some external NAT port for bastion access to Nazara.