Skip to content
/ Infrastructure-IOT Public

Secure IoT network infrastructure with VLAN segmentation and DMZ. Features Dockerized services (MQTT, Grafana, InfluxDB, LDAP) with mTLS, SSH keys, and firewall rules for robust security and real-time monitoring.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Joshua31400/Infrastructure-IOT

BranchesTags

Repository files navigation

🏭 Secure Industrial IoT Infrastructure

Docker Linux OpenVPN Mosquitto Grafana InfluxDB OpenLDAP Bash PowerShell

A fully containerized, network-segmented IoT environment enforcing Zero Trust principles with mTLS, OpenVPN, and strictly managed firewall rules.

📋 Table of Contents

🚀 Getting Started

Prerequisites

  • Docker Desktop (Windows/Linux/Mac)
  • PowerShell (for the deployment script)
  • OpenSSL (the link included in the deployment script with a tutorial)

Installation Steps

  1. Clone the Repository

    git clone https://github.com/Joshua31400/Infrastructure-IOT.git
cd Infrastructure-IOT

  2. Deploy the Infrastructure Run the automated script to generate certificates, build images, and start containers:

    .\deploy.ps1

📖 Project Overview

This project simulates a robust Industrial Internet of Things (IIoT) infrastructure using Docker. It demonstrates advanced network security concepts by isolating services into distinct VLANs and enforcing strict traffic control via a central software firewall.

The architecture is designed to mimic a real-world factory environment where operational technology (IoT) is strictly separated from information technology (Office/Admin).

🏗️ Network Architecture & Zones

Network Diagram

The infrastructure is divided into 5 isolated zones, routed and filtered by a central Alpine Linux Firewall using iptables.

🔴 Zone A - IoT (Sensors)

  • Subnet: 192.168.10.0/24
  • Role: Simulates industrial sensors (Temperature, Power, Vibration).
  • Security:
    • Devices are isolated in a dedicated VLAN.
    • Communication to the Broker is secured via MQTT over TLS (MQTTS) on port 8883.
    • Mutual Authentication (mTLS): Each sensor possesses a unique client certificate signed by the internal CA.

🔵 Zone B - Admin (Management)

  • Subnet: 192.168.20.0/24
  • Role: Secure management network for system administrators.
  • Access:
    • OpenVPN: Entry point for administrators ensuring encrypted tunnels.
    • SSH (Port 22): Direct access to DMZ servers using Asymmetric Key Authentication only (Password login disabled).
    • Full access to internal management interfaces (LDAPS, InfluxDB Logs).

🟢 Zone C - Office (Visualization)

  • Subnet: 192.168.30.0/24
  • Role: Standard user workstations for data monitoring.
  • Access:
    • Restricted access to the Grafana Dashboard only.
    • Port Forwarding: The Firewall redirects HTTPS traffic (Port 443) from the Office network to the internal Grafana instance (Port 3000) in the DMZ.
    • No direct access to the backend infrastructure or IoT devices.

🟣 Zone D - DMZ (Critical Services)

  • Subnet: 10.0.0.0/24
  • Role: Hosts the core backend services, isolated from direct external access.
  • Services:
    • Mosquitto Broker: Central hub for MQTT messages (TLS/mTLS enforced).
    • OpenLDAP: Centralized identity management for Grafana users.
    • InfluxDB: Stores network logs (Syslogs) sent by the firewall for audit purposes.
    • Grafana: Visualizes real-time data from the MQTT Broker.

⚫ Zone Z - Firewall (Router)

  • The Core: An Alpine Linux container acting as the central gateway for all 4 networks.
  • Traffic Policy: Default DROP policy (Whitelisting approach).
  • Functions:
    • Routing: Inter-VLAN routing based on strict iptables rules.
    • NAT/Masquerading: Manages outbound traffic to the WAN.
    • Logging: Captures accepted/rejected packets and forwards them to InfluxDB via Syslog (TCP 514).

💻 Usage & Verification

Once the deployment is complete, you can access the services via your browser (mapped via the Firewall):

Service URL Default Credentials
Grafana http://localhost:3000 admin / admin123
InfluxDB http://localhost:8086 admin / adminpass123
MQTT mqtts://localhost:8883 (Requires Client Certificate)

⚠️ Note : Toutes actions/ requêtes venant de votre PC personnel (Windows) et pas depuis un container ou l'admin (SSH) ne sera pas prise en compte par le firewall et ne touchera pas au réseau déployer.

🛠️ Tech Stack

Technology Role Documentation
Docker Containerization Official Docs
iptables Firewalling Netfilter
OpenSSL PKI & CA OpenSSL.org
OpenVPN Secure Access Community
Mosquitto MQTT Broker Eclipse.org
Grafana Visualization Grafana Labs
InfluxDB Time Series DB InfluxData
OpenLDAP Authentication OpenLDAP.org

👥 Credits

Pedro MARTINS Loïc ANDRIANARIVONY Thomas PASSERMAN Lucas KOCHEIDA Joshua BUDGEN

Developed by: Pedro MARTINS, Loïc ANDRIANARIVONY, Tom PASSERMAN, Lucas KOCHEIDA, Joshua BUDGEN
Ynov Campus TOULOUSE - 2026

About

Secure IoT network infrastructure with VLAN segmentation and DMZ. Features Dockerized services (MQTT, Grafana, InfluxDB, LDAP) with mTLS, SSH keys, and firewall rules for robust security and real-time monitoring.

Topics

infrastructure security devops docker-compose network powershell-script

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages