Skip to content

Network Security

Overview

The network architecture of PenLocal-AI is designed with strict isolation principles to ensure that compromised components (specifically the Kali Linux executor) cannot pivot to attack the hosting infrastructure or internal core services.

Network Segmentation

Network Subnet Isolation Level Purpose
public-services Dynamic Low Exposed services via Nginx proxies (HTTPS).
internal-services 10.150.0.0/16 High Backend services (Postgres, Qdrant, Vault). Authenticated access only.
kali-network 10.151.0.0/16 Isolated Sandbox for Kali Linux containers. Internet access allowed, but LAN blocked.

Defense in Depth Diagrams

graph TB
    subgraph Host["Host Machine (127.0.0.1)"]
        Browser
    end

    subgraph PublicNet["public-services (Dynamic)"]
        n8nProxy["n8n-proxy"]
        OllamaProxy["ollama-proxy"]
        VulnApp["vulnerable-app"]
        PentestWeb["pentest-webapp"]
    end

    subgraph InternalNet["internal-services (10.150.0.0/16)"]
        Postgres
        Qdrant
        Minio
        Vault["credential-vault"]
        n8nInt["n8n (eth0: 10.150.0.250)"]
    end

    subgraph KaliNet["kali-network (10.151.0.0/16)"]
        Kali["kali"]
        n8nKali["n8n (eth1)"]
    end

    %% Routing & Access
    Browser -->|"HTTPS (443)"| n8nProxy

    n8nProxy --> n8nInt
    OllamaProxy --> Ollama["Ollama (CPU/GPU)"]

    %% n8n Dual Homing
    n8nInt --- n8nKali

    %% SSH Access
    n8nKali -->|"SSH (22)"| Kali

    %% Isolation Enforcement
    Kali -.->|"BLOCKED (Not Listening)"| n8nKali
    Kali -.->|"BLOCKED (FW/Binding)"| Host
    Kali -->|"Internet Access"| Internet((Internet))

Security Controls

1. Host Port Binding Isolation

All published ports (443 HTTPS, 8000 Webapp, 11434 Ollama) are explicitly bound to 127.0.0.1. - Effect: Services are listening only on the host loopback adapter. - Prevention: Attackers inside a container (like Kali) cannot reach these services by targeting the host's Docker Gateway IP (e.g. 172.17.0.1 or 10.151.0.1), as the services are not bound to that interface.

2. Dual-Homed Controller (n8n)

The n8n workflow engine sits on both networks but carefully separates traffic:

  • Internal Interface: Listens on 10.150.0.250. Serves the web UI and API.
  • Kali Interface: Used outbound only to initiate SSH connections to Kali agents.
  • Configuration: N8N_LISTEN_ADDRESS is set to the internal IP, ensuring the service port 5678 is not accessible from the kali-network.

3. Subnet Segregation

  • Internal Services: postgres, qdrant, and vault reside only on internal-services.
  • Kali: Resides only on kali-network.
  • Result: There is no routed path at the Docker network layer between Kali and the database/credentials.

4. DNS Isolation

  • Host Protection: The magic hostname host.docker.internal (used by Docker Desktop to access the host) is explicitly mapped to 127.0.0.1 inside the Kali container.
  • Effect: Prevents agents/tools inside Kali from easily accessing host services using the default Docker Desktop convenience hostname.