Full Version: Networks as Nodes
| QUOTE (Lord Ben) |
| A "node" isn't a complete network within a company. |
This was said in another thread, but the post was a few days old, and I think the topic can stand by its own.
Node—Any device or network that can be accessed. SR4, p.216
So, by the book, networks can be treated as single nodes. How do you know when to treat a network as a single node, and not a collection of device nodes that are linked together? How do you determine the matrix attributes of a network, especially when it consists of devices of differing ratings?
The core book doesn't say, but I'm hoping it'd be covered in Unwired.
Until then, the house rules that I use are:
- If a device communicates with the rest of the network via wireless, it counts as a seperate node.
- If a single account would grant you access to all the devices that are wired together into a network, then the network can be set up to be treated as a single networked node.
- A device may only be part of one networked node at a time.
- Devices may be added to or removed from a networked node at any time.
- The Signal attribute remains treated as per-device.
- The Firewall attribute of the networked node is equal to the highest Firewall attribute of the devices on the network when the network node is booted up, as long as one device of that Firewall rating or higher remains active on the network. Adding a device with a higher Firewall onto the network will not increase the Firewall rating of the networked node until the networked node is rebooted. If there are no devices on the network that are of the networked node's Firewall rating or higher, the Firewall drops to the Firewall rating of the highest remaining device.
- The Response attribute of the node is equal to the whatever Response rating the majority of the devices have. In the cases of ties, the higher Response rating wins.
- The System attribute of the node is also equal to the majority of the devices, however, for the purposes of determining the maximum number of programs running, the sum of all the System ratings of the devices on the network is the maximum.
- Active subscriptions are still handled per device, using the device's own system rating, and connections to other devices on the network do count against this list.
- Rebooting a networked node does not cause individual devices to reboot, but it will cause them to perform as individual nodes until the network is rebooted. The networked node may change subscription lists on individual devices as part of the rebooting process, locking certain devices off of the network until the networked node has fully rebooted. Rebooting a networked node requires admin level access.
- The Crash OS action will only crash a single device on the network. However, this may cause the Matrix attributes of the networked node to fluctuate, or may fragment the network node into smaller nodes if the device crashed is the sole connection between different parts of the network.
I define a node by access rights. A node, or cluster of nodes or node network is treated as one node as long as you can change between them without having to confirm your access rights = you do not have to hack into each one but can walk arround with hacking in only once.
But thats a good point. Ill note that down for my SGM.
But thats a good point. Ill note that down for my SGM.
| QUOTE (Serbitar) |
| I define a node by access rights. A node, or cluster of nodes or node network is treated as one node as long as you can change between them without having to confirm your access rights = you do not have to hack into each one but can walk arround with hacking in only once. |
Access rights was pretty much my starting point as well: I defined the boundaries of nodes by asking "Where do you get asked for a password?"
How do you handle devices that share access rights but differ in Matrix attributes? The system that I described above took a little while to hammer out, but so far, it's been fairly handy in modeling company sized networks, as well as smaller networks pieced together by hacker PCs who wanted to get around the limits of the number of programs that can be run before you start lowering Response.
Hm, for simplicity I would give those clusters "effective" ratings, not use the response degradation and treat them like 1 node in every other respect (mabe heighten the threshold for crashing and such a little).
Clusters would be the the rnom and should not be made too difficult to handle.
Clusters would be the the rnom and should not be made too difficult to handle.
| QUOTE (Serbitar) |
| Hm, for simplicity I would give those clusters "effective" ratings, not use the response degradation and treat them like 1 node in every other respect (mabe heighten the threshold for crashing and such a little). |
In the end, that's much the same thing I'm doing, it's just that I've got specific rules of thumb for determining what my effective ratings are, and my networked nodes eventually do start dropping Response, but only when you've maxed out the system of every device on the network.
I broadly agree but I'd take issue with "active subscriptions are still handled per device." I'd use the model listed in SR4 for drones where a hacker / rigger can subscribe a lot of them as one device. It just means that orders have to be given en masse. I think the same would apply to, for exampe, all the workstations in a lab (1 node). With modern search routines and management tools, I don't see why the hacker couldn't treat them all as one device for most purposes. Or maybe I misread your meaning.
I'd definitely discount the wireless link meaning a separate node. I would imagine that barring some uber secure systems, every terminal in every building in the world is now linked to its network wirelessly.
But yes, access rights is probably the gold standard for defining a "node". Good work and worth bringing to people's attention.
| QUOTE (knasser) |
| I broadly agree but I'd take issue with "active subscriptions are still handled per device." |
| QUOTE |
| Or maybe I misread your meaning. |
I was referring to the rule listed under the description of the System attribute that reads "System serves as the limiter for ... the number of subscriptions allowed (System x 2, see Linking and Subscribing, p.212).".
Esentially, what I'm getting at is that any individual device has a limit on the number of other devices it can actively connect to, and just because that device is part of a networked node, it still uses it's own system rating, and not the network node's collective system rating to determine that limit.
Esentially, what I'm getting at is that any individual device has a limit on the number of other devices it can actively connect to, and just because that device is part of a networked node, it still uses it's own system rating, and not the network node's collective system rating to determine that limit.
| QUOTE |
| I'd definitely discount the wireless link meaning a separate node. |
That's the most recent edition to my house rules for network nodes, something that I've added due to the fact that the recently issued FAQ emphasized that wireless links, even those that have been slaved for exclusive access to a specific node, have no protection in the basic rules against hacking or spoofing.
I'm on the fence on this one; if after a few sessions, treating wireless devices as seperate nodes turns out be more of a headache than it's worth, I'll probably house-rule in some kind of defense against spoofing for wireless links, but only if they're operating at Signal:0 ranges.
I'm on the fence on this one; if after a few sessions, treating wireless devices as seperate nodes turns out be more of a headache than it's worth, I'll probably house-rule in some kind of defense against spoofing for wireless links, but only if they're operating at Signal:0 ranges.
| QUOTE (RunnerPaul @ Dec 13 2006, 01:22 PM) | ||||
I was referring to the rule listed under the description of the System attribute that reads "System serves as the limiter for ... the number of subscriptions allowed (System x 2, see Linking and Subscribing, p.212).". Esentially, what I'm getting at is that any individual device has a limit on the number of other devices it can actively connect to, and just because that device is part of a networked node, it still uses it's own system rating, and not the network node's collective system rating to determine that limit. |
Okay. In that case, I do disagree with this part of your rules in this particular part of them. It's probably good to go with a specific example for clarity.
Say we have a room or group of rooms that consist of terminals for the wageslaves to sit at. We're treating these as a single node. I think you're absolutely right on that. But what I think you are saying is that Hacker A, who has a maximum active connection list of 5, can only be manipulating 5 of them at any time. Less if he's subscribed to other nodes elsewhere. I can't think of instances where this would be so, however. Example - he wants to shut down all the terminals. I think he would be able to send the shutdown command to the lot of them, essentially saying shut down to the entire node. I think he would be able to pull data off all of them by essentially running his browse tool on the node itself. Basically I think the VR environment and the software he uses provides the tools to interact with a node as one unit. Now I might put limits on him if he wants to hold a txt conversation with every user that is sat at one of these terminals, but that's more a limit on his brainpower than on the software. I take as my model the drones as node example in SR4, where a hacker can issue a single command to as many drones at once as he likes, so long as they're all subscribed as one unit. It's limited in flexibility, but I don't think the commlink would be unable to handle it.
On a unix network, I can batch issue commands to all the clients if I wish (including shutdown commands). They just need to have the same access rights (be part of the same node).
| QUOTE (RunnerPaul) | ||
That's the most recent edition to my house rules for network nodes, something that I've added due to the fact that the recently issued FAQ emphasized that wireless links, even those that have been slaved for exclusive access to a specific node, have no protection in the basic rules against hacking or spoofing. I'm on the fence on this one; if after a few sessions, treating wireless devices as seperate nodes turns out be more of a headache than it's worth, I'll probably house-rule in some kind of defense against spoofing for wireless links, but only if they're operating at Signal:0 ranges. |
I see what you're saying. Going back to our terminals example, if you allow this then the hacker essentially has a back door into system X, whereas you might for game purposes prefer him to have to go through nodes X and Y before he can get to them. If that's where you're coming from then the rule makes sense. I think I would personally be content with having them all in hidden mode and the fact that the low signal rating would mean that the hacker would have to be there on site to do this. But then I'm not completely averse to letting a hacker sit at home while participating in the run and this sort of stuff presents them with a tactical choice - go in with the team and take advantage of the wireless link between terminals or sit at home and battle your way through the system. I think there are plenty of ways you can block this without separating out wireless links as separate nodes. E.g. have the terminals wired, have an agent scan for anyone logging on through the wireless link, more active IC, etc.
Basically, I'm just okay with the hacker spoofing that wireless link, I guess, so a difference of opinion.
| QUOTE (knasser @ Dec 13 2006, 08:52 AM) |
| Okay. In that case, I do disagree with this part of your rules in this particular part of them. It's probably good to go with a specific example for clarity. Say we have a room or group of rooms that consist of terminals for the wageslaves to sit at. We're treating these as a single node. I think you're absolutely right on that. But what I think you are saying is that Hacker A, who has a maximum active connection list of 5, can only be manipulating 5 of them at any time. |
Ah, I see where the confusion is. We actually are on the same page, I just haven't been explaining myself too well, it would seem
The hacker's System:5 commlink's subscription limit of 5 isn't a problem here, because that bank of terminals isn't treated as seperate devices for another node that connects to the networked node from the outside -- it's one node. From the point of view of Hacker A, it's just one connection on her commlink. While connected to that node, she can manipulate any combination of devices that make up that networked node, or browse any data available on any one of those devices, as her access rights allow.
However, when Network Engineer B first laid out the network, there were some limitations in how the devices could be connected together. The terminals are System:2, and per the linking and subscribing rules, a system 2 device can have 4 active connections. Since each terminal must leave one of those connections open to the outside world, that meant each single terminal could only be connected to 3 other devices. When Network Engineer B put together the network, he connected each terminal to two of it's neighbors, arranging them in a rings, using the 3rd connection on each to connect each machine on the ring to a central hub with Firewall:6 and System:6 ratings. Each central hub supports 10 terminals, and is connected to two other hubs. Hacker A cares little for how Network Engineer B laid the network out, as it's all one node to her, but occasionally, depending on how the network was laid out, there will be a single device, that if crashed, will isolate entire chunks of the network from each other, a useful trick, even though it's sure to trigger an alert.
The hacker's System:5 commlink's subscription limit of 5 isn't a problem here, because that bank of terminals isn't treated as seperate devices for another node that connects to the networked node from the outside -- it's one node. From the point of view of Hacker A, it's just one connection on her commlink. While connected to that node, she can manipulate any combination of devices that make up that networked node, or browse any data available on any one of those devices, as her access rights allow.
However, when Network Engineer B first laid out the network, there were some limitations in how the devices could be connected together. The terminals are System:2, and per the linking and subscribing rules, a system 2 device can have 4 active connections. Since each terminal must leave one of those connections open to the outside world, that meant each single terminal could only be connected to 3 other devices. When Network Engineer B put together the network, he connected each terminal to two of it's neighbors, arranging them in a rings, using the 3rd connection on each to connect each machine on the ring to a central hub with Firewall:6 and System:6 ratings. Each central hub supports 10 terminals, and is connected to two other hubs. Hacker A cares little for how Network Engineer B laid the network out, as it's all one node to her, but occasionally, depending on how the network was laid out, there will be a single device, that if crashed, will isolate entire chunks of the network from each other, a useful trick, even though it's sure to trigger an alert.
| QUOTE |
| Example - he wants to shut down all the terminals. I think he would be able to send the shutdown command to the lot of them, essentially saying shut down to the entire node. |
The way I treat a shutdown/reboot for a networked node is that the network itself is being taken down, but the devices themselves remain active. I probably should allow for mass-shutdown of the devices themselves, but when I do, that'll be an admin-level function. I'm going to keep it where deliberate crash attempts can either crash network functionality, or crash an individual device, but can not crash all devices at once.
| QUOTE | ||
I see what you're saying. Going back to our terminals example, if you allow this then the hacker essentially has a back door into system X, whereas you might for game purposes prefer him to have to go through nodes X and Y before he can get to them. If that's where you're coming from then the rule makes sense. |
Actually what I'm saying is that if Hacker A knows that Wageslave D uses corporate-issued commlink C to connect to wirelessly connect to corporate network E (which is really just a collection of devices O-Z), and also knows that there's a command F that corporate network E can issue to commlink C that'll tell it to transmit a logfile of the last 50 people Wageslave D messaged from commlink C, Hacker A (who is hiding in the ceiling tiles), can spoof command F to commlink C and only have to worry about the System+Firewall rating of commlink C detecting that it was a spoof, and not the stronger System+Firewall rating of corporate network E (which commlink C certainly would be included as a part of, if wireless connected devices were allowed to be integral parts of networked nodes).
(I think I'm out of letters. I'm going to have to start using other alphabets.
)
(I think I'm out of letters. I'm going to have to start using other alphabets.
)
They way I assume is that they say the matrix is the big overlapping network of nodes, etc that allows a person walking around to be "online".
If you're directly interacting with that (able to receive emails) then you'd be part of that big node. Anything that exists outside of it or behind your own firewall (private conversations between two friends over their PAN) would be seperate.
So if you're in a corporate facility that's not in the matrix you'd treat that as a seperate node. They'll have identical user accounts for many of their devices (for example 5 cameras) and those would be a network.
I work in IT at a large company (25,000+) and I have a book with maybe 100+ passwords for all of our several hundred servers. Since no one account can look at and change info on all the servers in our large company I figure that's how SR4 would work. Drawing parallels from my own company they're generally divided over what jobs they perform. IE, 5 servers will be linked together that run the showrooms. Another "network" would be the distribution center where items are shipped. Those two systems however never directly interact with each other. A 3rd system pulls information from a database in the first example and moves it to the 2nd example. At my company although they work together of sorts no one password has access to both systems. And the 3rd password can only do one thing and that's move a certain file.
In VR terms that'd be two rooms connected by a hallway. The hallway would have IC monitoring all the traffic that passes through. All 3 would require seperate hacking attempts even though in reality it's about 20 different servers not to mention routers, firewalls, hubs, PC's, POS's, etc. In SR each of those could be considered a node, but it's easier to treat it as one.
If you're directly interacting with that (able to receive emails) then you'd be part of that big node. Anything that exists outside of it or behind your own firewall (private conversations between two friends over their PAN) would be seperate.
So if you're in a corporate facility that's not in the matrix you'd treat that as a seperate node. They'll have identical user accounts for many of their devices (for example 5 cameras) and those would be a network.
I work in IT at a large company (25,000+) and I have a book with maybe 100+ passwords for all of our several hundred servers. Since no one account can look at and change info on all the servers in our large company I figure that's how SR4 would work. Drawing parallels from my own company they're generally divided over what jobs they perform. IE, 5 servers will be linked together that run the showrooms. Another "network" would be the distribution center where items are shipped. Those two systems however never directly interact with each other. A 3rd system pulls information from a database in the first example and moves it to the 2nd example. At my company although they work together of sorts no one password has access to both systems. And the 3rd password can only do one thing and that's move a certain file.
In VR terms that'd be two rooms connected by a hallway. The hallway would have IC monitoring all the traffic that passes through. All 3 would require seperate hacking attempts even though in reality it's about 20 different servers not to mention routers, firewalls, hubs, PC's, POS's, etc. In SR each of those could be considered a node, but it's easier to treat it as one.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.