marauding_gibberish142 @ marauding_gibberish142 @lemmy.dbzer0.com Posts 15Comments 356Joined 3 wk. ago
Thank you for the comment.
My threat model in brief is considering an attack on my internal networking infrastructure. Yes, I know that the argument of "if they're in your network you have other problems to worry about" is valid, and I'm working on it.
I'm educating myself about Lynis, AuditD and OpenVAS, and I tend to use OpenSCAP when I can to harden the OS I use. I've recently started using OpenBSD and will use auditing tools on it too. I still need to figure out how to audit and possibly harden the Qubes OS base but that will come later.
Yes, I do realise that the dumb switch has an OS. And you raise a good point. I'm starting to feel uneasy with my existing netgear dumb switches too. Thank you for raising this, I think a whitebox router build might be the only way.
I'd like to mention that I would use VLANs if I could use them on hardware and software I feel comfortable with. But I cannot. Whitebox build it is, I suppose.
Thanks again for the comment and I'd like to hear any suggestions you have.
Ah, is that something like sticky ports?
Indeed, I would like to run a switch with a FOSS OS, and I don't see any viable way of doing that. Unfortunate, but whitebox router + switch it is then
Yes, that's what I meant. It was a sarcastic remark on the current government's general level of skills with web-technologies. I suppose the obligatory /s was missed
Hmm, I haven't heard of that before. Could you explain?
You'd think that a government knows how to do a web search
Could you elaborate why the question of trust invalidates using just subnets?
Thanks, but to make that work I would need a managed switch running a proprietary OS can I cannot trust. If there was a switch running a FOSS OS then I would use that
Thanks, yes I realised that OpenWRT devices can do this
Dead man's switch is a good idea. OP should look at the stuff people using Qubes came up with as a dead-man's switch.
I use testing, prod and stale. Stale is simply one version behind prod in case I see something in prod I need to roll back
I'd either have to do it in the router (which would need a lot of PCIe network cards which can get expensive + difficult to accommodate enough physical PCIe lanes on consumer hardware) or run it on a switch running a proprietary OS that I can't control and don't know what it's doing underneath.
Ah, sucks
I see. But does the installation cover hardening steps like hardened_malloc, permission hardener, kernel self-protection etc?
I had looked into openstack a while back but left it thinking it was too complex. I was looking at Apache's Cloudstack then.
I see now that a contributor has got Debian in the official list of supported distributions. Which means my distro-morphing idea should work in theory with OpenStack. This is a great idea, thanks. I will look at OpenStack more seriously now. Does look like it will need some effort though
No, I do not trust my computers that much. Quite unfortunate, really that I'll have to build a whitebox switch to get what I want
I never considered tailscale for my LAN, but it's certainly an intriguing idea. I suppose running Headscale as a VM on my router isn't that difficult. Thank you, I will think about it a bit more
asking for people to solve a solved problem
Solved using devices that run proprietary software (which is, I imagine, frowned upon in such communities) which we don't control at all. Heck, even Mikrotik who has a good rapport with this community uses a proprietary Linux distro with a severely outdated kernel for their devices. For something as critical as internal networking, I'm surprised I do not see more dialogue on improving the situation.
Let me try and explain the problem. I want to build a setup where I have multiple clustered routers (I'm sure you've heard of the clustering features in PFSENSE/OPNSENSE/DIY approach using Keepalived). But if I want to use VLANs without using a switch running god-knows-what under the hood, I'm going to need a LOT OF ports. Unfortunately, 6+ port PCIe cards are quite expensive and sometimes have many other problems.
This is why I'm trying to find simpler solution. The solution that you mention doesn't seem to be a solution at all, but just the community giving up on trying to find one and accepting what is given. I was hoping for a better outcome.
I'm using Cisco terminology so it likely means VLAN trunking unfortunately (unless I missed something)
Thank you for that. I'd also like to ask you: is that a possibility too if one were to configure a trunk port on a switch and plug the PCs in?