Add architecture writeup and zone definitions
This commit is contained in:
parent
bb9c860491
commit
01f72b6dd3
@ -0,0 +1,67 @@
|
|||||||
|
# Architecture
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
My homelab, and by extension my home network, needs to meet a few requirements:
|
||||||
|
|
||||||
|
* Provide secure internet connectivity for myself and my roommates *(secure agents)*
|
||||||
|
* Provide secure internet connectivity for house guests, family members, party guests, etc *(insecure agents)*
|
||||||
|
* Provide secure intranet connectivity between homelab agents
|
||||||
|
* Provide secure access to internal homelab agents from internet agents
|
||||||
|
* Restrict access between agents on disparate network segments
|
||||||
|
* Restrict access to intranet resources from internet agents
|
||||||
|
* Restrict access to intranet resources from physically proximate agents
|
||||||
|
|
||||||
|
To meet these requirements I settled on a three-segment network, each operating at a
|
||||||
|
different security zone. This also has the added advantage of not over complicating
|
||||||
|
things.
|
||||||
|
|
||||||
|
| | Subnet | DNS Zone | Interop |
|
||||||
|
| --------------------- | ---------------- | ------------- | ------------------------------------------- |
|
||||||
|
| Homelab Domain | `10.42.101.0/24` | `net.enp.one` | Connectivity to Secure Agents |
|
||||||
|
| Secure Agent Domain | `10.42.100.0/24` | `tre2.local` | Connectivity to Homelab and Insecure Agents |
|
||||||
|
| Insecure Agent Domain | `10.42.100.0/24` | `tre2.local` | Connectivity to Secure Agents |
|
||||||
|
|
||||||
|
!!! note
|
||||||
|
In addition to the above subnets I also have `10.42.102.0/24` reserved for
|
||||||
|
future VPN/remote connectivity work.
|
||||||
|
|
||||||
|
!!! question
|
||||||
|
Why use `10.42.100.0/24` through `10.42.102.0/24`? Choosing a somewhat obtuse range
|
||||||
|
of subnets, as opposed to `10.0.1.0/24`, decreases the likelihood of an IP conflict
|
||||||
|
when connecting to 3rd part VPNs or integrating with other networks.
|
||||||
|
|
||||||
|
!!! todo
|
||||||
|
Audit and restructure the firewall separation between the homelab domain and other
|
||||||
|
domains. Right now the firewall is far too permissive.
|
||||||
|
|
||||||
|
## Domain Separation
|
||||||
|
|
||||||
|
Note that the word "*domain*" here is used to denote something closer to a traditional
|
||||||
|
*organizational unit* (OU) than a literal DNS domain or subnet. A "*domain*" in this
|
||||||
|
sense is a combination of a logical network segment, a L2/L3 network, and an isolated
|
||||||
|
security zone.
|
||||||
|
|
||||||
|
### Homelab Domain
|
||||||
|
|
||||||
|
This is the core domain where servers, applications, storage arrays, management devices,
|
||||||
|
and virtual machines all live. Basically **a)** anything I don't want my roommates
|
||||||
|
messing with and **b)** anything I don't want messing with my roommates if it goes
|
||||||
|
haywire.
|
||||||
|
|
||||||
|
### Secure Agent Domain
|
||||||
|
|
||||||
|
Secure agents, also known as trusted agents, are devices owned by people that I trust
|
||||||
|
are not going to (intentionally) compromise my network. This includes personal
|
||||||
|
computers, XBox's, phones, and Raspberry Pi's.
|
||||||
|
|
||||||
|
### Insecure Agent Domain
|
||||||
|
|
||||||
|
No man's land. The wild west. Anything and everything and something in between. My
|
||||||
|
friend's grandmother's ten year old unpatched Windows XP machine. A ruggedized computer
|
||||||
|
stamped "confidential" found in the back alley. An Amazon Alexa. God only knows what is
|
||||||
|
going to end up on this subnet, but I know I don't want it touching any of my stuff.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
*Last updated `{{ git_revision_date }}`*
|
||||||
Loading…
Reference in New Issue
Block a user