Difference between revisions of "DangerZone Network"
(→VPN) |
|||
Line 38: | Line 38: | ||
When a user wishes to access the DangerZone from the Internet, the web interface must be used to generate an OpenVPN certificate. VPN users are statically assigned addresses in the <tt>10.1.0.0/16<tt> range. The adapter <tt>tun0</tt> has been assigned the IP <tt>10.1.0.1</tt>. | When a user wishes to access the DangerZone from the Internet, the web interface must be used to generate an OpenVPN certificate. VPN users are statically assigned addresses in the <tt>10.1.0.0/16<tt> range. The adapter <tt>tun0</tt> has been assigned the IP <tt>10.1.0.1</tt>. | ||
+ | |||
+ | The VPN network is never permitted to access anything other than the Gateway's VPN adapter and the VM network. Said another way, the VPN network may never talk to the Internet or the Wifi network. | ||
+ | |||
+ | We absolutely do not trust anything that comes out of the VPN. | ||
==Wifi== | ==Wifi== | ||
[[Category:DangerZone]] | [[Category:DangerZone]] |
Revision as of 22:36, 22 May 2013
Contents
Overview
This article explains the layout of the networks in the DangerZone from the perspective of the gateway.
Wifi Public switch NICs on box vmserver gateway
Networks
There are four different networks that the gateway has to deal with.
Internet
The adapter named eth-pub has a direct connection to the top-level switch at SkullSpace, and has been assigned the IP 206.220.196.62.
Only three services are exposed to the Internet:
- SSH
- VPN
- HTTPS
All other incoming traffic is blocked.
VMs
The VMs exist in the 10.255.0.0/16 subnet, with 10.255.0.1 assigned to the eth-vms adapter. All IP addresses in this range are statically assigned.
VMs are permitted to receive connections on a case-by-case basis, as determined by the author of the challenge the VM is running. By default, all incoming connections to the VM network from the VPN and Wifi networks are blocked.
VMs have limited access to the Internet for the exclusive purpose of pulling down updates. The gateway maintains a whitelist of hostname:port pairs that are permitted from the VM network.
Our assumption is that the VMs are not in our control, and may be acting on the direction of anyone on the VPN or Wifi networks.
VPN
When a user wishes to access the DangerZone from the Internet, the web interface must be used to generate an OpenVPN certificate. VPN users are statically assigned addresses in the 10.1.0.0/16 range. The adapter tun0 has been assigned the IP 10.1.0.1.
The VPN network is never permitted to access anything other than the Gateway's VPN adapter and the VM network. Said another way, the VPN network may never talk to the Internet or the Wifi network.
We absolutely do not trust anything that comes out of the VPN.
Wifi