Difference between revisions of "DangerZone Network"

From SkullSpace Wiki
Jump to navigation Jump to search
(Wifi)
m
 
(19 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
{{Archived}}
 +
[[Category:Networking]]
 +
 
=Overview=
 
=Overview=
  
This article explains the layout of the networks in the DangerZone from the perspective of the gateway.
+
This article explains the layout of the networks in the [http://en.wikipedia.org/wiki/Danger_Zone_%28song%29 DangerZone] from the perspective of the gateway.
  
 
Wifi
 
Wifi
Line 27: Line 30:
 
==VMs==
 
==VMs==
  
The VMs exist in the <tt>10.255.0.0/16</tt> subnet, with <tt>10.255.0.1</tt> assigned to the <tt>eth-vms</tt> adapter. All IP addresses in this range are statically assigned.
+
The VMs exist in the <tt>10.224.0.0/11</tt> subnet, with <tt>10.224.0.1</tt> assigned to the <tt>eth-vms</tt> adapter. All IP addresses in this range are statically assigned. This range was chosen because it is the least likely to conflict with a user's home network or other VPN that they are using.
  
 
VMs are permitted to receive connections on a case-by-case basis, as determined by the author of the challenge the VM is running. By default, all incoming connections to the VM network from the VPN and Wifi networks are blocked.
 
VMs are permitted to receive connections on a case-by-case basis, as determined by the author of the challenge the VM is running. By default, all incoming connections to the VM network from the VPN and Wifi networks are blocked.
Line 37: Line 40:
 
==VPN==
 
==VPN==
  
When a user wishes to access the DangerZone from the Internet, the web interface must be used to generate an OpenVPN certificate. VPN users are statically assigned addresses in the <tt>10.1.0.0/16<tt> range. The adapter <tt>tun0</tt> has been assigned the IP <tt>10.1.0.1</tt>.
+
When a user wishes to access the DangerZone from the Internet, the web interface must be used to generate an OpenVPN certificate. VPN users are statically assigned addresses in the <tt>10.192.0.0/11</tt> range. The adapter <tt>tun0</tt> has been assigned the IP <tt>10.192.0.1</tt>.
  
 
The VPN network is never permitted to access anything other than the Gateway's VPN adapter and the VM network. Said another way, the VPN network may never talk to the Internet or the Wifi network.
 
The VPN network is never permitted to access anything other than the Gateway's VPN adapter and the VM network. Said another way, the VPN network may never talk to the Internet or the Wifi network.
Line 47: Line 50:
 
==Wifi==
 
==Wifi==
  
When a user accesses the Wifi network, they will get an dynamically-assigned IP from a DHCP server in the <tt>10.0.0.0/16</tt> subnet which should be good for a week. The gateway's <tt>eth-wifi</tt> adapter is connected to this network, in fact it has a direct connection to the access point, and is assigned the IP <tt>10.0.0.1</tt>.
+
When a user accesses the Wifi network, they will get an dynamically-assigned IP from a DHCP server in the <tt>10.0.0.0/11</tt> subnet which should be good for a week. The gateway's <tt>eth-wifi</tt> adapter is connected to this network, in fact it has a direct connection to the access point, and is assigned the IP <tt>10.0.0.1</tt>. This address range was assigned to the Wifi network because it is the most likely to conflict with a user's home network, and when they're at SkullSpace we know it's not going to conflict.
  
 
Users connected over to the Wifi network will be at our physically at (or outside) our hackespace, and likely not connected over ethernet. This means that we need to give them access to the Internet, because they won't have another way to get to it. Users on the Wifi network should have unrestricted access to the Internet, just like if they were our non-DangerZone wifi.
 
Users connected over to the Wifi network will be at our physically at (or outside) our hackespace, and likely not connected over ethernet. This means that we need to give them access to the Internet, because they won't have another way to get to it. Users on the Wifi network should have unrestricted access to the Internet, just like if they were our non-DangerZone wifi.
  
 
This network never accepts incoming connections.
 
This network never accepts incoming connections.
 +
 +
=Subnets=
 +
 +
{| border="1px"
 +
|-
 +
! Name
 +
! Range
 +
! Subnet Mask
 +
! Available IPs
 +
|-
 +
| VMs
 +
| 10.224.0.0 - 10.255.255.255
 +
| 255.224.0.0
 +
| 2,097,150
 +
|-
 +
| VPN
 +
| 10.192.0.0 - 10.223.255.255
 +
| 255.224.0.0
 +
| 2,097,150
 +
|-
 +
| Wifi
 +
| 10.0.0.0 - 10.31.255.255
 +
| 255.224.0.0
 +
| 2,097,150
 +
|-
 +
|}
 +
 +
=Adapters=
 +
 +
{| border="1px"
 +
|-
 +
! Name
 +
! IP
 +
! Services
 +
|-
 +
| eth-pub
 +
| 206.220.196.62
 +
| SSH, VPN, HTTPS
 +
|-
 +
| eth-vms
 +
| 10.224.0.1
 +
|-
 +
| eth-wifi
 +
| 10.0.0.1
 +
| HTTPS
 +
|-
 +
| tun0
 +
| 10.192.0.1
 +
| HTTPS
 +
|-
 +
|}
 +
 +
=Filtering=
 +
 +
{| border="1px"
 +
|-
 +
! From
 +
! To
 +
! Allowed?
 +
! Notes
 +
|-
 +
| Internet
 +
| Gateway
 +
| style="background-color:yellow;" | Partially
 +
| SSH, VPN, HTTPS
 +
|-
 +
| Internet
 +
| VMs
 +
| style="background-color:red;" | No
 +
| Protect our infrastructure.
 +
|-
 +
| Internet
 +
| VPN
 +
| style="background-color:red;" | No
 +
| Protect our users.
 +
|-
 +
| Internet
 +
| Wifi
 +
| style="background-color:red;" | No
 +
| Protect our users.
 +
|-
 +
| Gateway
 +
| Internet
 +
| style="background-color:lime;" | Yes
 +
| Useful for administration.
 +
|-
 +
| Gateway
 +
| VMs
 +
| style="background-color:yellow;" | Partial
 +
| Whitelist of host:port pairs.
 +
|-
 +
| Gateway
 +
| VPN
 +
| style="background-color:red;" | No
 +
| Protect our users.
 +
|-
 +
| Gateway
 +
| Wifi
 +
| style="background-color:red;" | No
 +
| Protect our users.
 +
|-
 +
| VMs
 +
| Internet
 +
| style="background-color:yellow;" | Partially
 +
| Whitelist of host:port pairs.
 +
|-
 +
| VMs
 +
| Gateway
 +
| style="background-color:red;" | No
 +
| No reason for it.
 +
|-
 +
| VMs
 +
| VPN
 +
| style="background-color:red;" | No
 +
| Protect our users.
 +
|-
 +
| VMs
 +
| Wifi
 +
| style="background-color:red;" | No
 +
| Protect our users.
 +
|-
 +
| VPN
 +
| Internet
 +
| style="background-color:red;" | No
 +
| Don't want remote users routing Internet traffic through us.
 +
|-
 +
| VPN
 +
| Gateway
 +
| style="background-color:yellow;" | Partially
 +
| HTTPS
 +
|-
 +
| VPN
 +
| VMs
 +
| style="background-color:yellow;" | Partially
 +
| Whitelist of host:port pairs as needed by the level.
 +
|-
 +
| VPN
 +
| VPN
 +
| style="background-color:red;" | No
 +
| Protect our users.
 +
|-
 +
| VPN
 +
| Wifi
 +
| style="background-color:red;" | No
 +
| Protect our users.
 +
|-
 +
| Wifi
 +
| Internet
 +
| style="background-color:lime;" | Yes
 +
| Users will have no other method to access the Internet.
 +
|-
 +
| Wifi
 +
| Gateway
 +
| style="background-color:yellow;" | Partially
 +
| HTTPS
 +
|-
 +
| Wifi
 +
| VMs
 +
| style="background-color:yellow;" | Partially
 +
| Whitelist of host:port pairs as needed by the level.
 +
|-
 +
| Wifi
 +
| VPN
 +
| style="background-color:red;" | No
 +
| Protect our users.
 +
|-
 +
| Wifi
 +
| Wifi
 +
| style="background-color:lime;" | Yes
 +
| Internal to the access point, we can't control.
 +
|-
 +
|}
 +
 +
 +
  
 
[[Category:DangerZone]]
 
[[Category:DangerZone]]

Latest revision as of 17:30, 4 October 2017

Info.png This page has been archived. All information in this article is historical.

Overview

This article explains the layout of the networks in the DangerZone from the perspective of the gateway.

Wifi Public switch NICs on box vmserver gateway

Networks

There are four different networks that the gateway has to deal with.

Internet

The adapter named eth-pub has a direct connection to the top-level switch at SkullSpace, and has been assigned the IP 206.220.196.62.

Only three services are exposed to the Internet:

  1. SSH
  2. VPN
  3. HTTPS

All other incoming traffic is blocked.

VMs

The VMs exist in the 10.224.0.0/11 subnet, with 10.224.0.1 assigned to the eth-vms adapter. All IP addresses in this range are statically assigned. This range was chosen because it is the least likely to conflict with a user's home network or other VPN that they are using.

VMs are permitted to receive connections on a case-by-case basis, as determined by the author of the challenge the VM is running. By default, all incoming connections to the VM network from the VPN and Wifi networks are blocked.

VMs have limited access to the Internet for the exclusive purpose of pulling down updates. The gateway maintains a whitelist of hostname:port pairs that are permitted from the VM network.

Our assumption is that the VMs are not in our control, and may be acting on the direction of anyone on the VPN or Wifi networks.

VPN

When a user wishes to access the DangerZone from the Internet, the web interface must be used to generate an OpenVPN certificate. VPN users are statically assigned addresses in the 10.192.0.0/11 range. The adapter tun0 has been assigned the IP 10.192.0.1.

The VPN network is never permitted to access anything other than the Gateway's VPN adapter and the VM network. Said another way, the VPN network may never talk to the Internet or the Wifi network.

We absolutely do not trust anything that comes out of the VPN.

This network never accepts incoming connections.

Wifi

When a user accesses the Wifi network, they will get an dynamically-assigned IP from a DHCP server in the 10.0.0.0/11 subnet which should be good for a week. The gateway's eth-wifi adapter is connected to this network, in fact it has a direct connection to the access point, and is assigned the IP 10.0.0.1. This address range was assigned to the Wifi network because it is the most likely to conflict with a user's home network, and when they're at SkullSpace we know it's not going to conflict.

Users connected over to the Wifi network will be at our physically at (or outside) our hackespace, and likely not connected over ethernet. This means that we need to give them access to the Internet, because they won't have another way to get to it. Users on the Wifi network should have unrestricted access to the Internet, just like if they were our non-DangerZone wifi.

This network never accepts incoming connections.

Subnets

Name Range Subnet Mask Available IPs
VMs 10.224.0.0 - 10.255.255.255 255.224.0.0 2,097,150
VPN 10.192.0.0 - 10.223.255.255 255.224.0.0 2,097,150
Wifi 10.0.0.0 - 10.31.255.255 255.224.0.0 2,097,150

Adapters

Name IP Services
eth-pub 206.220.196.62 SSH, VPN, HTTPS
eth-vms 10.224.0.1
eth-wifi 10.0.0.1 HTTPS
tun0 10.192.0.1 HTTPS

Filtering

From To Allowed? Notes
Internet Gateway Partially SSH, VPN, HTTPS
Internet VMs No Protect our infrastructure.
Internet VPN No Protect our users.
Internet Wifi No Protect our users.
Gateway Internet Yes Useful for administration.
Gateway VMs Partial Whitelist of host:port pairs.
Gateway VPN No Protect our users.
Gateway Wifi No Protect our users.
VMs Internet Partially Whitelist of host:port pairs.
VMs Gateway No No reason for it.
VMs VPN No Protect our users.
VMs Wifi No Protect our users.
VPN Internet No Don't want remote users routing Internet traffic through us.
VPN Gateway Partially HTTPS
VPN VMs Partially Whitelist of host:port pairs as needed by the level.
VPN VPN No Protect our users.
VPN Wifi No Protect our users.
Wifi Internet Yes Users will have no other method to access the Internet.
Wifi Gateway Partially HTTPS
Wifi VMs Partially Whitelist of host:port pairs as needed by the level.
Wifi VPN No Protect our users.
Wifi Wifi Yes Internal to the access point, we can't control.