From 3a930280ad6155ce0f40a38e2ea9c311b8420dee Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Fri, 3 Jul 2020 14:14:36 +0100 Subject: [PATCH] distorted.tex: Delete catastrphically obsolete document. --- distorted.tex | 413 ---------------------------------------------------------- 1 file changed, 413 deletions(-) delete mode 100644 distorted.tex diff --git a/distorted.tex b/distorted.tex deleted file mode 100644 index 1ec0db2..0000000 --- a/distorted.tex +++ /dev/null @@ -1,413 +0,0 @@ -\documentclass[article, a4paper, 10pt, notitlepage, numbering]{strayman} -\usepackage[palatino, helvetica, maths=cmr]{mdwfonts} -\usepackage[T1]{fontenc} -\usepackage{at} -\usepackage[mdwmargin]{mdwthm} -\usepackage{mdwtab} -\usepackage[all, dvips]{xy} - -\atdef l#1{{\normalfont\sffamily #1}} -\atdef c#1{\textbf{#1}} - -\newtheorem*{observation}{Observation} - -\def\cbox#1{% - \vbox{% - \let\\\cr% - \halign{% - \hfil\strut\ignorespaces##\unskip\hfil\cr% - #1% - \crcr% - }% - }% -} - -\errorcontextlines=999 - -\begin{document} -\title{@l{distorted.org.uk} network design} -\author{Mark Wooding} -\maketitle - -\thispagestyle{empty} -\pagestyle{empty} - -\tableofcontents -\listoffigures -\listoftables - -\clearpage -\pagestyle{fancy} - -%%%-------------------------------------------------------------------------- -\section{Concepts} - -We begin by defining our basic concepts. -\begin{description} -\item[@c{Safe}] A @c{safe} network is one whose hosts are protected from - potentially dangerous network traffic. Hosts on a @c{safe} network may - communicate only (a) using trusted protocols (e.g., SSH) or (b) with - @c{trusted} hosts. -\item[@c{Trusted}] A @c{trusted} network is one whose hosts are permitted to - communicate with @c{safe} networks. -\end{description} - -\begin{observation} - It is impossible to protect hosts on a @c{safe} network from each other. - Therefore, a @c{safe} network must be @c{trusted}. As an immediate - corollary, an @c{untrusted} network cannot be @c{safe}. -\end{observation} - -We therefore distinguish three types of networks: -\begin{enumerate} -\item @c{Safe}, and therefore @c{trusted}. -\item @c{Trusted} but @c{unsafe}. -\item @c{Untrusted}, and therefore @c{unsafe}. -\end{enumerate} - - -%%%-------------------------------------------------------------------------- -\section{Existing hosts} - -We have the following hosts. All of them should be @c{trusted}. -\begin{description} -\item[@l{metalzone}] A Linux server and desktop machine. It is capable of - providing most services to the network, including mail, news, web proxying, - etc., and of providing services to the Internet at large. It can also - provide a powerful and versatile firewall. It should not be kept @c{safe}. -\item[@l{tubescreamer}] A dual-boot Linux desktop and Windows desktop. It - spends most of its time running Windows. It must be kept @c{safe}. -\item[@l{fuzzface}] A small Linux laptop. It doesn't have enough disk - capacity for running services, and wouldn't be around or turned on - regularly enough anyway, but it is capable of firewalling itself. We'd - like to attach this to a wireless network. It need not be kept @c{safe} - and we'd like it to be @c{trusted}. -\item[@l{guvnor}] An ADSL router. It is capable of providing minimal - services, and it has a fairly powerful firewall built-in. It must not be - kept @c{safe}. -\item[@l{evolution}] (Not yet commissioned.) A wireless access point. It is - capable of running Linux, but due to limited memory capacity cannot provide - many services. It has a powerful and versatile firewall. It cannot be - kept @c{safe}. -\end{description} - -We may also have guest machines. We suspect that keeping these @c{safe} -would be onerous to our guests, requiring configuration of web proxies and -suchlike. Guest machines can probably be @c{trusted}: violations of this -trust can be rectified using a cluebat. - -%%%-------------------------------------------------------------------------- -\section{Structure} - -We require the following physical networks. -\begin{itemize} -\item A (wired) Ethernet, for the permanent desktop machines and servers, and - for any guest hosts which need physical wiring. -\item A wireless Ethernet, for laptops. -\end{itemize} - - -\subsection{The wired network} - -Some hosts on our wired network (particularly @l{tubescreamer}) must be -@c{safe}; others (e.g., @l{metalzone}) must not in order for them to do their -jobs. It is tempting to split the wired network into two parts: @c{unsafe} -and @c{safe}. But this introduces a new potential point of failure, and -anyway fails to acknowledge the fact that both sides are already @c{trusted}. - - -\subsection{The wireless network} - -It is important to note that the security provided by wireless networks is -minimal, and cannot be relied upon. Therefore a wireless network must be -both @c{untrusted} and @c{unsafe}. We may allow unrestricted communication -with the global Internet, and to other @c{unsafe} networks, though hosts on -the wireless network must not be allowed to communicate with @c{safe} -networks. - -This restriction is annoying, and motivates us to introduce a @/virtual -private network/, providing authentication and encryption; hosts on the VPN -can be @c{trusted}, since we know who they are and (ideally) how they're -configured. - - -\subsection{Virtual private networks} - -As discussed earlier, we want a VPN so that hosts attached to the wireless -network can communicate with @c{safe} hosts. Also, we wish to participate in -the Sinister Green VPN. This introduces two kinds of VPN: our own can be -@c{trusted}, but the SGVPN should not be. - -The question arises: should our VPN be @c{safe}? We can see no particular -reasons why it shouldn't be: after all, a host on the VPN already has a route -to the global Internet (either it's communicating with us over the Internet -already, or it's on some @c{unsafe} network). - -Finally, we wish to provide some @/emulated hosts/, running old operating -systems; for example, a machine running ITS.% - \footnote{The Incompatible Timesharing System -- an old PDP--10 operating - system, which hosted MACLISP and the original EMACS implementation.} -Such old operating systems are likely to have major security problems, and -should be kept @c{safe} from outside attack. It seems reasonable to place -these emulated hosts in the @l{virtual} network, since (a)~we've just -determined that @l{virtual} hosts should be @c{safe}, and (b)~emulated hosts -are `virtual' in a sense anyway. - - -%%%-------------------------------------------------------------------------- -\section{Networks and numbering} - -We therefore have the following networks. -\begin{description} -\item[@l{fretwank} (wired, @c{safe}/@c{unsafe} mix)] Contains @l{guvnor} - (router to the Internet and main firewall), @l{metalzone} (main server), - @l{evolution} (wireless router), and @l{tubescreamer}. Also contains guest - machines allocated addresses by DHCP. -\item[@l{wireless} (wireless, @c{untrusted})] Contains @l{fuzzface}, at least - sometimes, and a number of guest machines allocated addresses by DHCP; - @l{evolution} is its router. -\item[@l{virtual} (virtual, @c{safe})] Contains @l{fuzzface} again, and - possibly various other hosts. Not really a proper network: more a random - collection of point-to-point associations. No dynamic allocation required. -\end{description} -See figure~\ref{fig:network} for a diagrammatic representation of the -network, and how the various hosts fit into it. - -\begin{figure} - \[\begin{xy} - 0; <1cm, 0cm>: - (0, 0) ="fwA"; (11, 0) ="fwB" **[butt][|3pt][=NET]@{-}, - ?(.5) ="fwM" ?(.18) ="fwX" ?(.82) ="fwY", - "fwM" *+!U\cbox{@l{fretwank} (172.29.199.0/25)}, - "fwM" + (0, 2) *+=(3, 1.5)[F:<12pt>][F*:green:<12pt>] - \cbox{@l{guvnor} \\ 83.105.60.35 \\ 172.29.199.1} ="guvnor", - "guvnor"; "fwM" **@{-}, - "guvnor"; + (0, 4) - *+=(4, 3)[o][F][F*:red] \cbox{Global \\ Internet} - **@{-} ?<>(.5) *@{//} *+!L{A}, - "fwY"; p + (0, 2) - *+=(3, 1.5)[F:<12pt>]\cbox{(DHCP guests)} - **@{-}, - "fwY"; p - (0, 2) - *+=(3, 1.5)[F:<12pt>][F*:green:<12pt>] - \cbox{@l{evolution} \\ 172.29.198.1 \\ 172.29.199.3} ="evolution" - **@{-}, - "fwX"; p + (0, 2) - *+=(3, 1.5)[F:<12pt>][F*:yellow:<12pt>] - \cbox{@l{tubescreamer} \\ 172.29.199.65} - **@{-}, - "fwX"; p - (0, 2) - *+=(3, 1.5)[F:<12pt>][F*:green:<12pt>] - \cbox{@l{metalzone} \\ 172.29.199.2} ="metalzone" - **@{-}, - "metalzone" + (-3, 1) ="sgvpnA"; p - (0, 10) ="sgvpnB" **[NET]@{-}, - ?(.5) ="sgvpnM", - "sgvpnM" *[left]+!R\cbox{SGO VPN (various RFC1918 addresses)}, - "metalzone"; p - (3, 0) **@{-} ?<>(.5) *@{//} *+!U{B}, - "metalzone" + (3, 1) ="vpnA"; p - (0, 8) ="vpnB" **[NET]@{-}, - ?(.5) ="vpnM", - "vpnM" *[left]+!L\cbox{@l{virtual} (172.29.199.128/28)}, - "metalzone"; p + (3, 0) **@{-} ?<>(.5) *@{//} *+!U{C}, - "metalzone" - (0, 2) - *+=(3, 1.5)[F:<12pt>][F*:yellow:<12pt>] - \cbox{@l{fuzzface} \\ 172.29.199.129} ="fuzzface"; - p + (3, 0) **@{-}, - "fuzzface" - (0, 2) - *+=(3, 1.5)[F:<12pt>][F*:yellow:<12pt>] - \cbox{@l{mz} \\ 172.29.199.130} ="mz"; - p + (3, 0) **@{-}, - "mz" - (0, 2) - *+=(3, 1.5)[F:<12pt>]\cbox{(VPN hosts)} ="x"; - p + (3, 0) **@{-}, - "x" - (0, 2) - *+=(3, 1.5)[F:<12pt>]\cbox{(SGO hosts)} ="x"; - p - (3, 0) **@{-}, - "evolution" + (3, 1) ="wlanA"; p - (0, 4) ="wlanB" **[NET]@{-}, - ?(.5) ="wlanM", - "wlanM" *[left]+!L\cbox{@l{wireless} (172.29.198.0/26)}, - "evolution"; p + (3, 0) **@{-} ?<>(.5) *@{//} *+!U{D}, - "evolution" - (0, 2) - *+=(3, 1.5)[F:<12pt>]\cbox{(DHCP guests)}; - p + (3, 0) **@{-}, - \end{xy}\] - - \caption{Diagram of @l{distorted.org.uk} networks} - \label{fig:network} -\end{figure} - -We must assign address ranges to these networks. The @l{distorted.org.uk} -domain has a block of 512 addresses allocated from the Cambridge G-RIN: -172.29.198.0/23. The low 256 addresses, 172.29.198.0/24, are used for -@c{untrusted} hosts; the upper addresses, 172.29.199.0/24, are used for -@c{trusted} and @c{safe} hosts. - -The @c{untrusted} address range is currently only used for the @l{wireless} -network. It is allocated 64 addresses. This seems relatively generous: -however, there is no small practical limit (such as the number of available -ports on switches or hubs) on the number of hosts which can join the network. -Since hosts on the network are granted temporary addresses via DHCP, the -network can be resized relatively easily by reconfiguring @l{evolution}: a -major flag day is not necessary. - -The @c{trusted} network is more difficult. We start with the wired Ethernet -@l{fretwank}. The number of hosts which can join the Ethernet is limited by -the number of available ports on the various switches and hubs. Currently we -have -\begin{itemize} -\item 4 ports on @l{guvnor}'s built-in switch, -\item 8 ports on a Netgear fast Ethernet switch, and -\item 16 ports on an old 10baseT hub, -\end{itemize} -for a total of 28 ports. (In fact, the total is only 24, since four of the -ports would be used up joining the hub and switches together.) Hence, a -single block of 32 addresses would suffice. However, this makes -administration difficult. Instead, we allocate @/four/ groups of 32 -addresses: -\begin{itemize} -\item a group for @c{trusted} but @c{unsafe} hosts with fixed addresses, used - for servers and routers; -\item a group for @c{safe} hosts with fixed addresses, used for our - vulnerable workstations; -\item a group for @c{trusted} but @c{unsafe} hosts with addresses dynamically - allocated by DHCP, for guests; and -\item a group of addresses reserved for some currently unforeseen purpose. -\end{itemize} - -The VPN is at this stage allocated 32 addresses. This can be increased -easily should the need arise; but we envisage that the various VPN hosts will -each need individual treatment in the firewall rules. - -The network address allocations are shown in detail in -table~\ref{tab:addresses}. - -\begin{table} - \begin{tabular}[C]{|lll|} \hlx{hv} - @*Network* & @*Status* & @*Address range* \\ \hlx{vhv} - @l{wireless} & @c{Untrusted} & 172.29.198.0/26 (64) \\ \hlx{v} - @l{fretwank} & Mixture & 172.29.199.0/25 (128) \\ - \quad Unsafe, fixed & @c{Trusted} & 172.29.199.0/27 (32) \\ - \quad Unsafe, DHCP & @c{Trusted} & 172.29.199.32/27 (32) \\ - \quad Safe & @c{Safe} & 172.29.199.64/27 (32) \\ - \quad Reserved & --- & 172.29.199.96/27 (32) \\ \hlx{v} - @l{virtual} & @c{Safe} & 172.29.199.128/27 (32) \\ \hlx{v} - Reserved & --- & $\vcenter{ - \hbox{172.29.199.160/27 (32)} - \hbox{172.29.199.192/26 (64)} - } \Bigr\}$ (96) \\ \hlx{vh} - \end{tabular} - - \caption{Network address allocations} - \label{tab:addresses} -\end{table} - - -%%%-------------------------------------------------------------------------- -\section{Firewall considerations} - -We filter network traffic at four points, shown as -`$\begin{xy}*+@{//}\end{xy}$' in figure~\ref{fig:network}: -\begin{itemize} -\item at the boundary with the global Internet, at @l{guvnor} ($A$); -\item at the join between the @l{wireless} network and our @c{trusted} - networks, at @l{evolution} ($D$); and -\item at the join between the VPNs and our @c{trusted} networks, ($B$ and - $C$). -\end{itemize} -(Technically, since we trust hosts on @l{virtual}, we needn't introduce -filtering between it and @l{fretwank}, but doing so is cheap and relatively -easy, and it does little harm.) - -The main purpose of the firewalls is to protect the hosts which are supposed -to be @c{safe}. Their secondary purposes are to act as an additional -protection for @c{trusted} hosts providing services, and to limit access to -some services to @c{trusted} hosts only. - - -\subsection{Externally visible services} - -The server @l{metalzone} provides a number of services which need to be -externally available: these are shown in table~\ref{tab:services}. - -\begin{table} - \centering - \begin{minipage}{0.8\textwidth} - \begin{tabular}[C]{|*{3}{ll|}} \hlx{hv} - @*Service* & @*Port(s)* & - @*Service* & @*Port(s)* & - @*Service* & @*Port(s)* \\ \hlx{vhv} - FTP & TCP 20, 21 & SSH & TCP 22 & SMTP & TCP 25 \\ - DNS & TCP/UDP 53 & Finger & TCP 79 & HTTP & TCP 80 \\ - Ident & TCP 113 & NTP & UDP 123% - %%\footnote{Only to upstream ISP's time servers.} - & HTTPS & TCP 443 \\ - rsync & TCP 873 & GIT & TCP 9418 & TrIPE & UDP 22\,003 \\ \hlx{vh} - \end{tabular} - \end{minipage} - - \caption{Externally visible services} - \label{tab:services} -\end{table} - -Additionally, @l{metalzone} provides a web proxy on port 3128 which should be -available to all hosts, including @c{untrusted} hosts, whose connection to -the global Internet is via @l{guvnor}. (Allowing external users to use the -proxy is bad, because they can eat up our 'net connection bandwidth very -easily. Disallowing @c{untrusted} hosts from using the proxy is silly, -though, since they can @/already/ gobble the 'net connection, and using the -proxy may help reduce the impact of many users.) - -Finally, @l{metalzone} supports active FTP, and occasionally other temporary -services, on high-numbered ports. TCP and UDP ports with numbers in the -range 32\,000--65\,535 should be left unfiltered. - - -\subsection{Trusted protocols} - -All hosts, including @c{safe} hosts, are permitted to contact any address on -TCP port~22, for the purpose of setting up an SSH connection. (Messing about -with proxies for SSH is too tedious.) So that this can stand a chance of -working properly, we also allow ICMP. This isn't, perhaps, ideal, but all -manner of things go wrong if ICMP is blocked. Besides, it means that @/ping/ -is likely to work, which is also useful. - - - - -%%% A -%%% 1. Packets from WAN -%%% if src-addr in rfc1918-addresses: DROP -%%% if src-addr in localnet: DROP -%%% if src-addr == guvnor.demon: DROP -%%% if dest-addr not in distorted-net: DROP -%%% if protocol == icmp: ACCEPT -%%% if protocol == tcp and src-port == 22 and ack: ACCEPT -%%% if dest-addr in fretwank-safe: DROP -%%% if dest-addr in vpn: DROP -%%% if protocol == tcp and ack: ACCEPT -%%% if dest-addr == metalzone.fretwank and -%%% protocol/dest-port in external-services: -%%% ACCEPT -%%% DENY -%%% -%%% 2. Packets from LAN -%%% if src-addr not in distorted-net: DROP -%%% ACCEPT - -%%% D -%%% 1. Packets from WLAN -%%% if src-addr not in wireless: DROP -%%% if dest-addr not in distorted-net: DROP -%%% if protocol == icmp: ACCEPT -%%% if protocol == tcp and src-port == 22 and ack: ACCEPT -%%% if dest-addr in fretwank-safe: DROP -%%% if dest-addr in vpn: DROP -%%% if protocol == tcp and ack: ACCEPT -%%% if dest-addr == metalzone.fretwank and -%%% (protocol/dest-port in external-services or -%%% protocol == tcp and dest-port == 3128): -%%% ACCEPT -%%% DENY -%%% - - -\end{document} -- 2.11.0