- Snort on perimeter inbound and outbound.
- ntopng on perimeter.
- Heavy VLAN segmentation. Like with like.
- Inter-VLAN ACLs on core switch. This is a stateless firewall. Some VLANs with certain device types have inbound and outbound. Trusted devices only have inbound.
- SPAN to Security Onion for all internal traffic.
- SNMPv3 monitoring on all devices.
- MAC Sticky on all camera ports because the cabling extends outside of the physical structure of the house. I am going to implement Dot1X at some point.
- VRFs for sensitive infrastructure to prevent outbound routing completely.
- A VRF for devices to be forced through an external VPN (Mullvad). Used for devices that do not support a VPN agent.
- No antivirus. All antivirus is a botnet.
- All server infrastructure is Devuan using OpenRC instead of systemd.
- Gaming PC is Artix.
- DNS blackhole.
- Public DNS is a Swiss no-logging provider which I use DoT to send my queries to.
- LibreWolf or Brave Browser on everything.
- Only hole into the network is a 4096 bit encrypted Wireguard instance operating in a container using an uncommon port. I wrote a custom script that can reach into the container and pull from the API in order to show active sessions, GeoIP, browser fingerprints, length of time the socket has been open, etc.
- I use geofencing for inbound connections to the Wireguard instance. I only allow my immediate area cellular ISPs IANA address spaces to touch my network. Same goes for the geographic area surrounding my parents house.
- Unattended updates using custom scripting for my servers, including rebuilding the Wireguard container every single night, updating the server, and I also fire Nessus at it every night. If in the morning there is a CVE of note on that server, the NAT rule allowing traffic to the VPN is disabled at the perimeter until a sufficient patch is released.
- I run STIGs on everything, within reason and where infrastructure allows, in my suite.
- LibreSSL over OpenSSL.
this post was submitted on 22 Nov 2023
4 points (100.0% liked)
Homelab
380 readers
9 users here now
Rules
- Be Civil.
- Post about your homelab, discussion of your homelab, questions you may have, or general discussion about transition your skill from the homelab to the workplace.
- No memes or potato images.
- We love detailed homelab builds, especially network diagrams!
- Report any posts that you feel should be brought to our attention.
- Please no shitposting or blogspam.
- No Referral Linking.
- Keep piracy discussion off of this community
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments