Quote from
squelch on May 23, 2018, 4:46 pm
I plan on using my Antsle to do some home automation functions (e.g., running a Homeseer server), and already have it running other local functions (e.g., a DNS server). I have these being served over an interface to a private VLAN (bridged connection to eth1, with the router putting all traffic on that port on, say, VLAN10).
I have set up eth2 on VLAN20, a "DMZ" VLAN that will host public-facing functions. A website, or a status panel, or a collaboration server for a project, so on. I can segment off that traffic straightforwardly enough.
What I can't really rigorously isolate are inter-antlet communications. They all live on a host-only network within the Antsle that, sensibly, allows the Antsle to control them all. Problem is, this breaks my segmentation. If a service on my DMZ that is being hosted within the Antsle gets hit, an attacker could conceivably pivot onto my private VLAN by attacking an antlet that's on that segment.
What's the "Antsle way" of segmenting the boxes? I'd really like to avoid writing an iptables rule for every single box. I've considered setting up a central configuration management system in the main Antsle just to do this (and do host-based blocking), but this is clumsy and I would prefer some kind of whole-Antsle-level isolation option for individual antlets that is straightforward and clear.
I plan on using my Antsle to do some home automation functions (e.g., running a Homeseer server), and already have it running other local functions (e.g., a DNS server). I have these being served over an interface to a private VLAN (bridged connection to eth1, with the router putting all traffic on that port on, say, VLAN10).
I have set up eth2 on VLAN20, a "DMZ" VLAN that will host public-facing functions. A website, or a status panel, or a collaboration server for a project, so on. I can segment off that traffic straightforwardly enough.
What I can't really rigorously isolate are inter-antlet communications. They all live on a host-only network within the Antsle that, sensibly, allows the Antsle to control them all. Problem is, this breaks my segmentation. If a service on my DMZ that is being hosted within the Antsle gets hit, an attacker could conceivably pivot onto my private VLAN by attacking an antlet that's on that segment.
What's the "Antsle way" of segmenting the boxes? I'd really like to avoid writing an iptables rule for every single box. I've considered setting up a central configuration management system in the main Antsle just to do this (and do host-based blocking), but this is clumsy and I would prefer some kind of whole-Antsle-level isolation option for individual antlets that is straightforward and clear.