Architecture Views
Purpose
This page provides visual representations of the Scheol Security Lab architecture.
It complements:
- Trust Boundaries & Segmentation (logical model)
- Security Design Decisions (architectural reasoning)
The objective is to:
- make the architecture quickly understandable
- highlight key exposure points and flows
- support discussion, review and analysis
1. High-Level Architecture Overview
Internet
│
┌───────────┴───────────┐
│ │
[ VPS-01 ] [ VPS-02 ]
(Web / Gitea / RP) (Dolibarr + DB)
│ │
└───────────┬───────────┘
│
Public Exposure Layer
(Heaven)
│
─────────────────────────────
│
Internal Infrastructure
(Hell)
│
┌──────────────┴──────────────┐
│ │
│ [ Hypervisor ] │
│ ┌──────────────┐ │
│ │ [ Firewall ] │ │
│ └──────────────┘ │
│ │
└─────── Internal Network ────┘
Notes
- Public services are currently co-located on VPS infrastructure
- Internal systems are not exposed but still under construction
- Separation exists but is not fully enforced
2. Trust Zones Visualization
[ Internet ]
│
▼
┌──────────────────────────────┐
│ Public Exposure Zone (Heaven)│
│ (VPS-01 / VPS-02) │
└──────────────┬───────────────┘
│
▼
┌──────────────────────────────┐
│ Application & Data Zone │
│ (Dolibarr / DB - partial) │
└──────────────┬───────────────┘
│
▼
┌──────────────────────────────┐
│ Internal Core (Hell) │
│ (Firewall / Hypervisor) │
└──────────────┬───────────────┘
│
┌─────────┴─────────┐
▼ ▼
┌──────────────┐ ┌──────────────┐
│ Admin Zone │ │ Security Zone│
│ (Planned) │ │ (Planned) │
└──────────────┘ └──────────────┘
Notes
- Zones are logically defined
- Enforcement is partial
- Admin and Security zones are not yet fully implemented
3. Critical Flows
3.1 Public Access Flow
User → Internet → VPS → Reverse Proxy → Application
- Main attack surface
- Depends heavily on reverse proxy configuration
- Linked to R-001
3.2 Application → Data Flow
Application (Dolibarr) → MariaDB
- Sensitive data handling
- Limited isolation in current state
- Linked to R-002
3.3 Administrative Access Flow (Current)
Admin Workstation → SSH → VPS / Systems
- Direct access still possible
- No bastion enforced
- Linked to R-003
3.4 Administrative Access Flow (Target)
Admin Workstation → Bastion → Target Systems
- Centralized access control
- Improved traceability
- Not yet implemented
3.5 Logging Flow (Planned)
VPS / Systems → Log Forwarding → SIEM (Hell)
- Currently absent or local only
- Critical for detection capability
3.6 Backup Flow (Planned)
Systems → Backup Platform → External Storage
- Currently weak / incomplete
- High priority for resilience
4. Exposure & Risk Hotspots
[ VPS-01 ]
- Co-location (Web + Gitea)
- Reverse proxy dependency
[ VPS-02 ]
- Business data concentration
- Application + DB coupling
[ Admin Access ]
- No bastion
- Direct SSH access
[ Logging ]
- No central visibility
5. Architecture Evolution (Simplified View)
CURRENT STATE
-------------
- Co-located services (VPS)
- Direct admin access
- Local logging
- Partial segmentation
TARGET STATE
------------
- Service separation (multi-instance)
- Bastion-based admin access
- Centralized logging (SIEM)
- Enforced segmentation
Usage
This page is intended to:
- support quick architectural understanding
- visualize risk exposure areas
- assist in discussions (review, interview, audit)
- complement detailed documentation
It is intentionally simplified and visual, and should remain aligned with the actual state of the lab.