This repo will hold the basic information and documentation around the digital and physical assets and projects for the AniNIX network.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 

1.8 KiB

Access layout looks something like the below:

Internet
└── Shadowfeed
    ├<> 10.0.1.0
    │   ├── Core
    ^   │   ├── Darknet
    │   │   ├── Geth-Hub-N
    │   │   ├── Maat
    │   │   ├── MaatBuilder
    │   │   └── Sharingan
    │   └── Nazara
    ├── 10.0.2.0
    │   ├── Chamberlain
    ^   ├── iRobot
    │   └── Nest
    └── 10.0.3.0
        ├── Games
        ├── Tachikoma
        └── Tricorder

For more details on what runs on what host, look to AniNIX/Ubiqtorate, particularly the playbooks/deploy.yml file, and the network traffic captured in AniNIX/Sharingan.

The general idea here is thus:

  • 10.0.1.0/24 is the service subnet, with NAT access from Shadowfeed creating a pseudo-secured DMZ for other AniNIX-controlled machines.
    • SSH and HTTPS access is then filtered through the NAT controls -- typically, traffic passes through Core to ensure the right security headers get set and only the approved applications get accessed.
    • This also assists in letting Core's network IDS and IPS capture threat data for Sharingan.
    • It also assists in that
  • 10.0.2.0/24 is the vendor subnet -- machines here get external access but no access to any host not themselves in 10.0.0.0/8.
  • 10.0.3.0/24 is the user subnet -- machines here can access the external world and 10.0.1.0/24 but not 10.0.2.0/24.

Ideally, only the following external ports are open:

  • 22/tcp/ssh to Core, for read-write access
  • 443/tcp/https to Core, for read-only access
  • 6697/tcp/ircs to Core, for communication access
  • Some external NAT port for bastion access to Nazara.

This ideal isn't currently met, due to some application limitations, but we're working on it.