Security of internal IPFS network

I’m wondering about implications of running an IPFS network on an internal network and the risks of exfiltrating data outside of the internal network.

From what I understand, if there are IPFS nodes on an internal network, they can talk to each other and the CIDs pinned on any of them will be available to other machines on the network. The internal IPFS nodes can access external items, but because the network is firewalled from incoming connections any sensitive data stored on the internal network cannot be accessed by the larger network.

However, what happens if a user VPNs into the internal network, but is also on a secondary network that is connected to an IPFS node exposed to the larger internet? This is assuming the node connected to the VPN is also running an IPFS daemon.

Anyone know anything about this?

Hello! If you want to use IPFS internally and nowhere else (can’t retrieve data from outside the network either), you’ll likely want to look into Kubo’s Private Network feature: kubo/ at master · ipfs/kubo · GitHub

The security will be similar to a VPN, all traffic is encrypted via symmetric key.