As the title says, I want to know the most paranoid security measures you’ve implemented in your homelab. I can think of SDN solutions with firewalls covering every interface, ACLs, locked-down/hardened OSes etc but not much beyond that. I’m wondering how deep this paranoia can go (and maybe even go down my own route too!).

Thanks!

  • RedFox@infosec.pubEnglish
    6·
    9 months ago

    Also laughing because that’s how some companies get owned, IP stolen, etc.

    There has to be balance, if your life using their system sucks so hard you can’t do your job or meet production marks, you get creative.

    My industry has to prioritize security over productivity. It’s almost impossible to get work done.

    • shadowintheday2@lemmy.worldEnglish
      2·
      9 months ago

      I understand that. But among the peers working there are some using windows without any further protection. Why do I need to be the one getting IO-bombed by a software that scans the same files that were gathered from an internal git server anyway, when there are people whose protection is literally “pls don’t tresspass”

      I trust my system way better: data at rest is encrypted with LUKS instead of bitlocker’s sucky encription; openvpn conf was upgraded by me because it admins use 128 bits keys for some reason. Etc.

      • RedFox@infosec.pubEnglish
        2·
        9 months ago

        Your working environment sounds gross :)

        IT is hard. Finding good IT people is harder in my opinion. Working for a company that is not super squared away with good security and great usability sucks. At least you found some work arounds and are trying to do it well.

        • shadowintheday2@lemmy.worldEnglish
          1·
          9 months ago

          It really is

          From what I get the higher ups wanted to implement those measures to comply with some certification or whatever

          Problem is there are workstations from before this decision that are completely open and will probably never be upgraded; and you get new ones that are completely closed to the point workers would rather use their own hardware

          If it’s possible to bypass this locked shitshow and just connect through another machine, then it’s really just a half assed measured don’t you think?

          I mean it’s not straightforward doing it and probably the guys who would be the easiest victims and entry points can’t bypass the VPN connection to another machine like I could. But then, those who can do it, can also set up stricter firewall rules and control from their own machines, rather than using windows