44 lines
2.1 KiB
Markdown
44 lines
2.1 KiB
Markdown
Access layout looks something like the below:
|
||
```
|
||
Internet
|
||
└── Shadowfeed
|
||
├<> 10.0.1.0 -- Internal Subnet
|
||
│ ├<> Core
|
||
^ │ ├── Darknet
|
||
│ │ ├── Foundation
|
||
│ │ ├── Geth
|
||
│ │ │ ├── Geth-Hubs
|
||
│ │ │ ├── Geth-Eyes
|
||
│ │ │ └── IoT API's
|
||
│ │ ├── IRC
|
||
│ │ ├── Maat
|
||
│ │ ├── Password
|
||
│ │ ├── Sharingan
|
||
│ │ ├── Singularity
|
||
│ │ ├── WolfPack
|
||
│ │ └── Yggdrasil
|
||
│ ├<> Nazara
|
||
│ ├<─ Chromecasts
|
||
│ └<─ User devices
|
||
└── 10.0.2.0 -- IoT Subnet
|
||
├── Chamberlain Garage Door
|
||
├── iRobot Housekeeping
|
||
└── Nest Thermostat
|
||
```
|
||
|
||
For more details on what runs on what host, look to [AniNIX/Ubiqtorate](/AniNIX/Ubiqtorate), particularly the `playbooks/deploy.yml` file, and the network traffic captured in [AniNIX/Sharingan](https://sharingan.aninix.net/).
|
||
|
||
The general idea here is thus:
|
||
* 10.0.1.0/24 is the service subnet, with NAT access from Shadowfeed creating a pseudo-secured DMZ for other AniNIX-controlled machines.
|
||
* SSH and HTTPS access is then filtered through the NAT controls -- typically, traffic passes through Core to ensure the right security headers get set and only the approved applications get accessed.
|
||
* This also assists in letting Core's network IDS and IPS capture threat data for Sharingan.
|
||
* It also assists in that we have a central location for WAF and SSL.
|
||
* 10.0.2.0/24 is the vendor subnet -- machines here get external access but no access to any host not themselves in 10.0.0.0/8. Their DNS is also routed into
|
||
* Other 10.0.0.0/8 subnets are reserved for testing.
|
||
|
||
Ideally, only the following external ports are open:
|
||
* 22/tcp/ssh to Core, for read-write access
|
||
* 443/tcp/https to Core, for read-only access
|
||
* 6697/tcp/ircs to Core, for communication access
|
||
* Some external NAT port for bastion access to Nazara.
|