Stakey Rice currently is setup at home, using a 1GB fiber Internet. I’ve setup this network with high security in mind.
Here is the network diagram :
- 1GB Fiber Internet (Upload and Download)
- 3 Nodes, Dell Optiplex Micro, i3 CPU, 20GB Ram, 250GB SSD, low power consumption
- Raspberry Pi as Bastion node
- Firewall – cannot reveal it, but it’s not an average consumer firewall, see below for the capabilities
- AirGap Linux on another Optiplex
- Individual VLAN per node, deny incoming by default
- Allow only needed port to needed IP Address or Network
- Between VLAN traffic is also restricted.
- IPS/IDS enable
- Deep Packet Inspection
- Geo Blocking
- Home personal device is on a separate VLAN with no traffic allow in between
- Ubuntu Server 20.04 LTS
- UFW fireall – deny incoming, allow only needed ports to specific IP/Network.
- Certificate authentication
- The only way to manage the Cardano nodes, is SSH into Bastion node first, then SSH into the other nodes. No direct SSH to Cardano nodes themselves.
- Certificate authentication with MFA
- Never connect to the network, even when installing operating system. 100% offline
- OS drive is encrypted, not usable if stolen.
- Use USB to transfer files between AirGap machine and Cardano nodes
- Keys backup to encrypted drive