|
1 | | -hop-node |
2 | | -======== |
| 1 | +firewalled-zone |
| 2 | +=============== |
3 | 3 |
|
4 | | -Ansible playbook for creating secure networks with double firewalls behind internal networks and load balancing. |
| 4 | +Ansible playbook for creating secure networks with double firewalls and load balancing behind internal networks. |
5 | 5 | Approach is based on proxying ingress and egress traffic using reverse-proxy, SOCKSv5 and HTTP Proxy methods. |
6 | 6 |
|
| 7 | +**Advantages:** |
| 8 | +- Hide real nodes behind two layers of firewall nodes |
| 9 | +- Anytime you can disconnect the middle node (`firewall` type) in case when `exit` node was hacked/compromised. No any trace on the node would persist, so the attacker will not even know `internal` node IP |
| 10 | +- Introduce additional L4 security e.g. against DoS |
| 11 | +- Hide your internal nodes public IP by redirecting traffic through egress proxy (traffic exits on `exit` type nodes) |
| 12 | +- Possibility to create a honeypot on exit nodes and then ban intruders on firewall nodes |
| 13 | + |
| 14 | +Architecture |
| 15 | +------------ |
| 16 | + |
| 17 | +Every node is connected with a VPN. There is a `peer list` defined for each node - only selected nodes can communicate with each other. |
| 18 | + |
| 19 | +**For example:** |
| 20 | +- `Exit node` talks only to `Firewall node` |
| 21 | +- `Firewall node` talks to `Exit node` and `Internal node` |
| 22 | + |
| 23 | +### Dictionary: |
| 24 | + |
| 25 | +- `Exit nodes`: Nodes hitting the internet. DNS should point at exit nodes |
| 26 | +- `Firewall nodes`: Relay nodes between `Exit nodes` and `Internal nodes`, does as a pure bridge that can be shut down anytime to hide your `Internal nodes` from attackers |
| 27 | +- `Internal nodes`: Your secure zone. Nodes should not be directly exposed to the internet |
| 28 | + |
7 | 29 | Example configuration: one node on every level |
8 | 30 | ---------------------------------------------- |
9 | 31 |
|
@@ -38,7 +60,15 @@ peers: |
38 | 60 | ```yaml |
39 | 61 | node_role: internal |
40 | 62 | wg_internal_ip: 10.223.0.3 |
| 63 | +#wg_port: 51826 |
| 64 | + |
| 65 | +# egress proxy accessible for Pods |
| 66 | +#setup_egress_proxy: true |
| 67 | +#haproxy_bind_ip: 10.50.0.1 |
| 68 | + |
41 | 69 | peers: |
42 | 70 | - name: firewall-1 |
43 | 71 | externalIp: 5.4.3.2 # `internal-1` knows the internet IP of `firewall-1` |
| 72 | + #persistentKeepAlive: 50 |
| 73 | + #relation: ["forward-egress"] # use with setup_egress_proxy=true |
44 | 74 | ``` |
0 commit comments