# Network with DMZ # # An example network configuration with an internal network, a DMZ network and a couple of external networks. # # ............................................................................ # . . # . Internal Network . # . . # . -------------- -------------- -------------- . # . | client_1 |------| switch_1 |--------| router_1 | . # . -------------- -------------- -------------- . # . (Computer) | . # ........................................................|................... # | # | # ........................................................|................... # . | . # . DMZ Network | . # . | . # . ---------------- -------------- -------------- . # . | dmz_server |------| switch_2 |------| firewall | . # . ---------------- -------------- -------------- . # . (Server) | . # ........................................................|................... # | # External Network | # | # | # ----------------------- -------------- --------------------- # | external_computer |------| switch_3 |------| external_server | # ----------------------- -------------- --------------------- # metadata: version: 3.0 io_settings: save_step_metadata: false save_pcap_logs: true save_sys_logs: true game: max_episode_length: 256 ports: - ARP - DNS - HTTP - POSTGRES_SERVER protocols: - ICMP - TCP - UDP agents: - ref: defender team: BLUE type: proxy-agent observation_space: type: custom options: components: - type: nodes label: NODES options: hosts: - hostname: client_1 num_services: 1 num_applications: 0 num_folders: 1 num_files: 1 num_nics: 2 include_num_access: false include_nmne: false routers: - hostname: router_1 num_ports: 0 ip_list: - 192.168.0.10 wildcard_list: - 0.0.0.1 port_list: - HTTP - POSTGRES_SERVER protocol_list: - ICMP - TCP - UDP num_rules: 10 - type: links label: LINKS options: link_references: - client_1:eth-1<->switch_1:eth-1 - type: "none" label: ICS options: {} action_space: action_map: 0: action: do-nothing options: {} 1: action: firewall-acl-add-rule options: type: firewall-acl-add-rule target_firewall_nodename: firewall firewall_port_name: internal firewall_port_direction: inbound position: 1 permission: PERMIT src_ip: 192.168.0.10 dst_ip: ALL src_port: ALL dst_port: ALL protocol_name: ALL src_wildcard: NONE dst_wildcard: NONE 2: action: firewall-acl-remove-rule options: target_firewall_nodename: firewall firewall_port_name: internal firewall_port_direction: inbound position: 1 3: action: firewall-acl-add-rule options: target_firewall_nodename: firewall firewall_port_name: internal firewall_port_direction: outbound position: 1 permission: DENY src_ip: 192.168.0.10 # client 1 dst_ip: ALL src_port: ARP dst_port: DNS protocol_name: icmp src_wildcard: NONE dst_wildcard: NONE 4: action: firewall-acl-remove-rule options: target_firewall_nodename: firewall firewall_port_name: internal firewall_port_direction: outbound position: 1 5: action: firewall-acl-add-rule options: target_firewall_nodename: firewall firewall_port_name: dmz firewall_port_direction: inbound position: 1 permission: DENY src_ip: 192.168.10.10 # dmz_server dst_ip: 192.168.0.10 # client_1 src_port: HTTP dst_port: HTTP protocol_name: UDP src_wildcard: NONE dst_wildcard: NONE 6: action: firewall-acl-remove-rule options: target_firewall_nodename: firewall firewall_port_name: dmz firewall_port_direction: inbound position: 1 7: action: firewall-acl-add-rule options: target_firewall_nodename: firewall firewall_port_name: dmz firewall_port_direction: outbound position: 2 permission: DENY src_ip: 192.168.10.10 # dmz_server dst_ip: 192.168.0.10 # client_1 src_port: HTTP dst_port: HTTP protocol_name: TCP src_wildcard: NONE dst_wildcard: NONE 8: action: firewall-acl-remove-rule options: target_firewall_nodename: firewall firewall_port_name: dmz firewall_port_direction: outbound position: 2 9: action: firewall-acl-add-rule options: target_firewall_nodename: firewall firewall_port_name: external firewall_port_direction: inbound position: 10 permission: DENY src_ip: 192.168.20.10 # external_computer dst_ip: 192.168.10.10 # dmz src_port: POSTGRES_SERVER dst_port: POSTGRES_SERVER protocol_name: icmp src_wildcard: NONE dst_wildcard: NONE 10: action: firewall-acl-remove-rule options: target_firewall_nodename: firewall firewall_port_name: external firewall_port_direction: inbound position: 10 11: action: firewall-acl-add-rule options: target_firewall_nodename: firewall firewall_port_name: external firewall_port_direction: outbound position: 1 permission: DENY src_ip: 192.168.20.10 # external_computer dst_ip: 192.168.0.10 # client_1 src_port: ALL dst_port: ALL protocol_name: NONE src_wildcard: NONE dst_wildcard: NONE 12: action: firewall-acl-remove-rule options: target_firewall_nodename: firewall firewall_port_name: external firewall_port_direction: outbound position: 1 13: action: network-port-disable options: type: network-port-disable target_nodename: firewall port_num: 3 14: action: network-port-enable options: type: network-port-enable target_nodename: firewall port_num: 3 simulation: network: nodes: - type: computer hostname: client_1 ip_address: 192.168.0.10 subnet_mask: 255.255.255.0 default_gateway: 192.168.0.1 dns_server: 192.168.20.11 start_up_duration: 0 shut_down_duration: 0 - type: switch hostname: switch_1 num_ports: 8 start_up_duration: 0 shut_down_duration: 0 - type: router hostname: router_1 num_ports: 5 start_up_duration: 0 shut_down_duration: 0 ports: 1: ip_address: 192.168.0.1 subnet_mask: 255.255.255.0 2: ip_address: 192.168.1.1 subnet_mask: 255.255.255.0 acl: 22: action: PERMIT src_port: ARP dst_port: ARP 23: action: PERMIT protocol: ICMP routes: - address: 192.168.10.10 # route to dmz_server subnet_mask: 255.255.255.0 next_hop_ip_address: 192.168.1.2 metric: 0 - address: 192.168.20.10 # route to external_computer subnet_mask: 255.255.255.0 next_hop_ip_address: 192.168.1.2 metric: 0 - address: 192.168.20.11 # route to external_server subnet_mask: 255.255.255.0 next_hop_ip_address: 192.168.1.2 metric: 0 - type: server hostname: dmz_server ip_address: 192.168.10.10 subnet_mask: 255.255.255.0 default_gateway: 192.168.10.1 dns_server: 192.168.20.11 start_up_duration: 0 shut_down_duration: 0 - type: switch hostname: switch_2 num_ports: 8 start_up_duration: 0 shut_down_duration: 0 - type: firewall hostname: firewall start_up_duration: 0 shut_down_duration: 0 ports: external_port: # port 1 ip_address: 192.168.20.1 subnet_mask: 255.255.255.0 internal_port: # port 2 ip_address: 192.168.1.2 subnet_mask: 255.255.255.0 dmz_port: # port 3 ip_address: 192.168.10.1 subnet_mask: 255.255.255.0 acl: internal_inbound_acl: 22: action: PERMIT src_port: ARP dst_port: ARP 23: action: PERMIT protocol: ICMP internal_outbound_acl: 22: action: PERMIT src_port: ARP dst_port: ARP 23: action: PERMIT protocol: ICMP dmz_inbound_acl: 22: action: PERMIT src_port: ARP dst_port: ARP 23: action: PERMIT protocol: ICMP dmz_outbound_acl: 22: action: PERMIT src_port: ARP dst_port: ARP 23: action: PERMIT protocol: ICMP external_inbound_acl: 22: action: PERMIT src_port: ARP dst_port: ARP external_outbound_acl: 22: action: PERMIT src_port: ARP dst_port: ARP routes: - address: 192.168.0.10 # route to client_1 subnet_mask: 255.255.255.0 next_hop_ip_address: 192.168.1.1 metric: 0 - type: switch hostname: switch_3 num_ports: 8 start_up_duration: 0 shut_down_duration: 0 - type: computer hostname: external_computer ip_address: 192.168.20.10 subnet_mask: 255.255.255.0 default_gateway: 192.168.20.1 dns_server: 192.168.20.11 start_up_duration: 0 shut_down_duration: 0 - type: server hostname: external_server ip_address: 192.168.20.11 subnet_mask: 255.255.255.0 default_gateway: 192.168.20.1 start_up_duration: 0 shut_down_duration: 0 services: - type: dns-server links: - endpoint_a_hostname: client_1 endpoint_a_port: 1 endpoint_b_hostname: switch_1 endpoint_b_port: 1 - endpoint_a_hostname: router_1 endpoint_a_port: 1 endpoint_b_hostname: switch_1 endpoint_b_port: 8 - endpoint_a_hostname: firewall endpoint_a_port: 2 # internal firewall port endpoint_b_hostname: router_1 endpoint_b_port: 2 - endpoint_a_hostname: firewall endpoint_a_port: 3 # dmz firewall port endpoint_b_hostname: switch_2 endpoint_b_port: 8 - endpoint_a_hostname: dmz_server endpoint_a_port: 1 endpoint_b_hostname: switch_2 endpoint_b_port: 1 - endpoint_a_hostname: firewall endpoint_a_port: 1 # external firewall port endpoint_b_hostname: switch_3 endpoint_b_port: 8 - endpoint_a_hostname: external_computer endpoint_a_port: 1 endpoint_b_hostname: switch_3 endpoint_b_port: 1 - endpoint_a_hostname: external_server endpoint_a_port: 1 endpoint_b_hostname: switch_3 endpoint_b_port: 2