[network] Adding more explanation.

Murilo Marinho · Murilo Marinho · commit 75f5d99a1fd1 · 2025-12-03T19:39:26.000Z
diff --git a/docs/source/cybersecurity/network.rst b/docs/source/cybersecurity/network.rst
@@ -3,11 +3,23 @@ Network topologies
 
 .. include:: ../the_topic_is_under_heavy_construction.rst
 
+There is plenty of software that can be used to protect your network. One of these is :program:`ufw`, the `uncomplicated
+firewall <https://en.wikipedia.org/wiki/Uncomplicated_Firewall>`_. These are good to some extent and I suppose will
+always be part of the security suite of companies and institutions.
 
-https://docs.ros.org/en/foxy/Concepts/About-Domain-ID.html
+Also, as part of :program:`ROS2` there is the concept of `ROS_DOMAIN_ID <https://docs.ros.org/en/foxy/Concepts/About-Domain-ID.html>`_.
+Although this concept exists, it should not be confused with a security measure. Each participant in the network can
+easily switch to another ``ROS_DOMAIN_ID`` without authentication or central management. It can be seen as merely a
+local filter.
 
-Case 1
-++++++
+An aspect that is often ignored in robotics labs are the physical network topologies, which are important for safety.
+This safety is not only for cybersecurity reasons. Yes, your robot's computer can be attacked if it's exposed. However,
+in development environments, you might inadvertently move someone else's robot. In these scenarios it will be much
+more efficient to physically isolate the robotic setup if many devices in the network can be shared with users with
+varying levels of network understanding.
+
+Case 1 - No isolation
++++++++++++++++++++++
 
 A common network architecture in small companies and laboratories is shown below.
 
@@ -34,21 +46,24 @@ A common network architecture in small companies and laboratories is shown below
 
 In it, each computer and robot is directly connected to the internet. This setup is rather tempting because from the
 point-of-view of the robotics software developer they might want to have as much freedom as possible to develop their
-software as quickly as possible. Depending on the internet services they want to provide, they might even DMZ
+software as quickly as possible. Depending on the internet services they want to provide, they might even `DMZ <https://en.wikipedia.org/wiki/DMZ_(computing)>`_
+or forward ports that give straight access to local computers. That is a huge security concern. If you leave port 22 open,
+it won't take long for someone to try to hack into your machine from somewhere in the world.
 
 This setup leads to a high level of risk. As mentioned in the previous section, although you *might* be able to keep
 your computers up-to-date, the same is not usually possible for the robots' control computers. They could have vulnerabilities
 such as unpatched security bugs that will leave them exposed. In addition, the robots' might have been left with their
-original credentials. This means that an attacker could easily ssh into the robot.
+original credentials and network settings, without a firewall. This means that an attacker could easily ssh into the robot.
 
-Although from a robotics software developer you might think that they might have little to gain from accessing a robot
+Although from a robotics software developer point-of-view you might think that they might have little to gain from accessing a robot
 computer, that can easily be the first door into any other resource in the network. Just because the computer is attached
-somehow to a robot it does not make it less of a computer just, usually, easier to exploit.
+somehow to a robot it does not make it less of a computer. It just, usually, makes it easier to exploit the computer.
 
-Case 2
-++++++
+Case 2 - Subnet isolation
++++++++++++++++++++++++++
 
-A somewhat better network architecture is shown below, because there is one extra layer of isolation.
+A somewhat better network architecture is shown below, because there is one extra layer of isolation. The main difference
+here is that different parts of the company have their own subnets.
 
 .. mermaid::
 
@@ -84,8 +99,8 @@ to control the wrong robot arm from a distance. Or, the wrong camera stream is u
 Although ``ROS_DOMAIN_ID`` can help to filter out unwanted messages, it is too easy to set the wrong ``ID``. More importantly,
 it is expected that people with a minimal understanding of networking would isolate their setup further.
 
-Case 3
-++++++
+Case 3 - Platform isolation
++++++++++++++++++++++++++++
 
 A possibly sufficient setup for most robotic demonstrators that need isolation is shown below.
 
@@ -112,4 +127,7 @@ A possibly sufficient setup for most robotic demonstrators that need isolation i
         junctionCenter2:B -- T:robot2
         junctionCenter2:L -- R:junctionCenter1
 
+In this setup, you can imagine each robotic demonstrator having their own, isolated, network. This can be easily
+achieved physically using a `switching hub <https://en.wikipedia.org/wiki/Network_switch>`_. This type of physical isolation
+of interfaces tends to be beneficial in development environments where software infrastructure is often changing.
 
