Set up a moderately complex testing environment that simulates an industrial/Cyber Physical System (CPS) context and is configured with a zero-trust approach through microsegmentation.
The tool in this repository zclod/dhall-microsegmentation allows you to generate configuration files for a network called Nebula by slackhq/nebula:
Nebula: A scalable overlay networking tool with a focus on performance, simplicity, and security (github.com), which is a kind of VPN that enables you to implement microsegmentation.
If you can find images/containers of virtual machines that represent IoT/CPS devices, you could try connecting them using this method, implementing microsegmentation to isolate them from each other, and test that everything functions properly.
- Cyber Physical System
- Zero Trust
- Micro-segmentation
- Nebula : https://github.com/slackhq/nebula
- file configurazione: https://github.com/zclod/dhall-microsegmentation
You must have installed:
- nebula (only to produce nebula-cert)
- docker
LEGEND: x is used to represent number of iot, x is parametric, and you can run the number that you want
The network used on "bare-metal":
- 172.20.0.100/24 (lighthouse)
//cannot use 172.20.z.1 because is used to link virtual interface to docker network itself - 172.20.x.y/24 (iot-dev-x)
//(y!=1): ip is not fixed (it is possible if we want by reintroducing commented line in the run_containers.sh part of iot-devs), they only became on a specific net - 172.20.50.2/24 (iot-master)
(all different networks, not a part of same subnet!)
The address configured in micro-segmented-vpn:
- 192.168.100.1 (lighthouse)
- 192.168.100.x+1 (iot-dev-1)
//because ...1 is used for lighthouse - 192.168.100.2 (iot-dev-2)
- 192.168.100.3 (iot-dev-3)
- [...]
- 192.168.100.x (iot-dev-x)
- 192.168.100.50 (iot-master)
I've choose to set the following configuration in device's firewall
port 1883 to communicate to master-iot in outbound communication and icmp in & out for testing nebula networking
outbound:
- port: 1883
proto: any
host: iot-master
- port: any
proto: icmp
host: any
inbound:
- port: any
proto: icmp
host: any
Allowing inbound for mqtt port (1883)
outbound:
- port: any
proto: icmp
host: any
inbound:
- port: any
proto: icmp
host: any
- port: 1883
proto: any
host: any
And minimal protocol for lighthouse:
outbound:
# Allow all outbound traffic from this node
- port: any
proto: icmp
host: any
inbound:
# Allow icmp between any nebula hosts
- port: any
proto: icmp
host: any
In the first run to do all automatically: (it takes some minutes also based on x) (you need to choose the x you want -> number of iot)
./setup_env.sh x
After first run, if you want to resart container you can start them with that script (or manually if you want)
./run_containers.sh
run_containers.sh contain the leading actor (also with yml firewalls) of this project, running manually, could cause some problems. In order to understand configuration of this project a read of this script is recommended.
and if you want to rebuild them:
./build_containers.sh
Finally to inspect that everythin is working:
docker attach iot-master
or:
docker exec -it lighthouse /bin/bash
ping 192.168.100.*x*
where instead of lighthouse you can change with iot-master or iot-dev-*.
i've had some problem with TUN/TAP dev since i was runningh this entire project on Arch linux, but with
find /lib/modules/ -iname 'tun.ko.zst'
And then after finding it:
insmod /lib/modules/6.2.11-arch1-1/kernel/drivers/net/tun.ko.zst
in the end with the following command:
docker run
[...]
--device /dev/net/tun:/dev/net/tun\
[...]
it is expected to work.
At the end of experiment, in order to clean both docker and folders:
./remove_all.sh