Architecture

Stakey Rice currently is setup at home, using a 1GB fiber Internet. I’ve setup this network with high security in mind.

Here is the network diagram :

Internet

  • 1GB Fiber Internet (Upload and Download)

Hardware

  • 3 Nodes, Dell Optiplex Micro, i3 CPU, 20GB Ram, 250GB SSD, low power consumption
  • Raspberry Pi as Bastion node
  • Firewall – cannot reveal it, but it’s not an average consumer firewall, see below for the capabilities
  • AirGap Linux on another Optiplex

Firewall/Networking

  • Individual VLAN per node, deny incoming by default
  • Allow only needed port to needed IP Address or Network
  • Between VLAN traffic is also restricted.
  • IPS/IDS enable
  • Deep Packet Inspection
  • Geo Blocking
  • Home personal device is on a separate VLAN with no traffic allow in between

Cardano Nodes

  • Ubuntu Server 20.04 LTS
  • UFW fireall – deny incoming, allow only needed ports to specific IP/Network.
  • Certificate authentication
  • MFA

Bastion Node

  • The only way to manage the Cardano nodes, is SSH into Bastion node first, then SSH into the other nodes. No direct SSH to Cardano nodes themselves.
  • Certificate authentication with MFA

AirGap Machine

  • Never connect to the network, even when installing operating system. 100% offline
  • OS drive is encrypted, not usable if stolen.
  • Use USB to transfer files between AirGap machine and Cardano nodes
  • Keys backup to encrypted drive