nezumi.hebereke wrote:

I assume the habitat mesh operates like a normal sub-network. For instance, at home, you likely have a router. All of the computers attach to the router, and form a private network, which is protected by that router. When you connect out, your connections are NATed, which provide some basic protection, but not encrypted unless you specifically opt for that. The habitat MAY have a segregated trunk to access the main mesh, which would act similar to the VPN, but there's nothing especially notable about that. Whether you have access to the mesh and not other habitat systems depends on the hab setup, just like most networks. You do need SOME access to the network to connect to the mesh, even if it's just through a limited, segregated system. And rarely will you be given full access to everything on the network. In some places you can access the hab's network riding on a guest account, and sometimes you need authentication.

What you describe actually would not be a mesh network, it would still have a couple of points of failure. Namely, the routers and firewall module. A true mesh would have nodes relaying traffic for all associated devices configured for a particular set of transmission parameters. Note that passing traffic for a node is not the same as being able to access any services running on a node, the distinction is important. I think it more likely that habitat control systems would be set up so that their radios/optical links would be tuned to non-public parameters (frequencies of transmission, bit encoding, go/no go protocols, broadcast cell IDs, things like that, even encryption parameters) so that a) they would not conflict with publically available resources, and b) your average everyday transhuman would not accidentally access them through their mesh inserts. It would seem reasonable that only personnel with a need-to-know would be given the requisite configuration parameters so that they could interface to the C&C mesh without setting off any alarms. It might also be that the access nodes for habitat C&C systems would be physically distant (taking advantage of the limits of signal propagation in an enclosed area) so that intruders would have to be physically present to access those systems. It is, however, entirely possible that the two meshes could be bridged by a VPN gateway, which would simplify configuration for the user somewhat. Doing so might also make it difficult for an intruder because they would have to find a logical path through systems on the mesh (public layer, public fabricators, PA, security personnel, waste management and disposal, et cetera) just to find the habitat C&C nodes because it is unlikely (and in fact would be operationally a bad idea due to efficiency and crosstalk problems) that mesh radios would be operating at high broadcast power for maximum distance. Authorized personnel (more likely, their muses would do it for them) would be given authorization to access certain mesh systems along with unique identities (in the infosec sense) and authentication credentials to tunnel through some the habitat's systems them. Each logical system would present another security chokepoint to further ensure that intruders could not easily gain access to critical systems. Of course, if the cracker walks down to the engineering level and touches the wall right over the mesh node's transceiver, some of the bets are off.

Re-Laborat wrote:

If they can access the server physically, they can access the server's data.

It is an axiom of information security that physical access trumps all security measures (sometimes, given sufficient time).

The Doctor wrote:

What you describe actually would not be a mesh network,

I would not assume that everything everywhere will be meshed, due to security and functionality concerns. I don't think that's an issue though, is it?

Azathoth wrote:

That sounds pretty good, thanks! So would you be able to hack into the VPN if you have regular mesh access within the hab, assuming it's not a separate trunk?

Hacking into the ship's public mesh shouldn't be hard. There will be a bazillion connections coming out. Get one of them to connect to yoir compromised hosts and you're basically in. Connecting to critical systems will be tougher. Critical systems should be separated by firewalls or air-gapped. Crossing those depends on either cracking the firewall, or on finding something connected both to the public mesh and the segregated system, and connecting through that.

nezumi.hebereke wrote:

I would not assume that everything everywhere will be meshed, due to security and functionality concerns. I don't think that's an issue though, is it?

For the sake of designing a scenario for players, it might be. It might be interesting to get the players used to the ins and outs of EP, and then during an operation throw an old-school netrun, ala Cyberspace or Shadowrun at them, in which the network topology can either be used against or strategically by the players. Perhaps a habitat (especially an older one) never migrated the sensitive areas of its information infrastructure to a mesh architecture and kept the older hardwired network with a chained star architecture in place, with dedicated firewalls and chokepoints to deter intruders even though the hardware itself has been (mostly, partially, not) upgraded to standard EP gear.

nezumi.hebereke wrote:

Connecting to critical systems will be tougher. Critical systems should be separated by firewalls or air-gapped. Crossing those depends on either cracking the firewall, or on finding something connected both to the public mesh and the segregated system, and connecting through that.

Or perhaps ganking one of the IT or maintenance personnel, sleeving into their morph, and installing your own cross-link to use later...