Security Layers

I’d like to know your security technique (maybe it’s a good topic for the lounge category).

Do you use a personal DNS server like Pi-hole for your computer and the mobile app ?

Wow, this might take a while. I will send a reply this evening. Still working right now...

Let's start with my devices: all of my computers and mobile devices use full disk encryption and require a login. There is no sharing of accounts. Guest accounts are deactivated. If there's a need for sharing data, a share on the NAS or a local filesystem is used that people/accounts have access to.

My network consists of several VLANs with strict access control on the managed switch. I am using a pihole failover cluster (keepalived) with a virtual IP. DNS requests from all VLANs are redirected to the virtual IP of pihole. This means that devices that have DNS hardcoded or fallback to a hardcoded value will still use pihole, no matter what.
pi-hole itself uses conditional forwarding for local hostname resolution (which is done by Unbound on my OPNsense FW/Router).
Some VLANs are setup to use a GW which tunnels traffic through a VPN.

Multiple layers of blocking: browser level (uBlock Origin), pi-hole, and Firwwall/Router (OPNsense). e.g. there's no access to FB, Twitter, Instagram, ...
All of my devices use also outgoing network filters (LittleSnitch, Blokada, ...)

Not sure, but I am pretty sure I forgot something. Well, it's a start.

Update: after seeing people also mentioning other areas, I thought I should edit my post and add that too.

I run the cable modem in bridged mode and the WiFi (Mesh) is setup as access point. I do not trust these half baked router/fw firmwares.

My backup solution/strategy depends on the systems. I use 3 NAS. 2 use RAID-5 and one uses a ZFS mirrored and striped pool.
The virtualization server uses ZFS 2x NVMEs mirrored, 2x SSD mirrored, 2x HDD mirrored.
The server in the data center uses 2x SSD RAID-1, 6x SAS HDD RAID-6. On that server I use rsnapshot locally (hourly, daily, weekly) and the entire server is rsynced daily to a NAS via SSH.

I do not use a virus scanner on any of my machines/devices.

I've got a much simpler set.

• I use Nextdns instead of pi-hole: What is the advantage of using NextDNS over Pi-hole®? - Getting Started - NextDNS Help Center
• Also use Ublock Origin
• Use Vivaldi as Browser, then Firefox; Then Brave
• Backups local, cloud and images that are checked
• antivirus
• Mild Router protection
• Keepass password manager. Default passwords are > 30 chars using all 4 character sets. Whittled down if necessary for security challenged sites, like banks.
• Never had facebook, etc. Had Twitter. Killed it.

Can recommend NextDNS also.

For light Android app checking I use Exodus.
εxodus (exodus-privacy.eu.org)

Motivated by data-protection, not information-security so to say.

Brave with ublock Origin
2 password managers
Asus router with Trend Micro
Kaspersky (: i'd rather let another country sniff my activity than my own country
DNS 1.1.1.1
2nd internal ssd backup and 3rd external hdd backup

I edited my post to add some areas others mentioned.

To all those mentioning Chromium based browsers: what are your plans regarding the Manifest v3 clustertruck? (I'm not following it too closely since I run FF, so if there were new developments, I might have missed them...)

I also use an asus router with trend Micro.
You don't want 1.1.1.1 which is cloudflare. 1.1.1.2 is their malware filtering site and it works well, so that is probably better. 1.1.1.3 is no malware and no adult content.

Also of course, you need the ipv6 addresses.
Personally, I use nextdns but quad 9 is also very good.

Thank you for your reply tessus.

For sharing data, with a local filesystem, you use the OS options to give access into your drive on your computer in the local network ? This sharing is unencrypted ?

For those are not really familiar with VLAN (like me) there is a simple explanation here or a longer here.

If I understand your local hardware network there is :

A router is used as modem (as access point) and Wifi
Your firewall/router replace your router provider
A switch is plugged to your fw/router and have an interface where are hosted the VLANs
Your servers and devices are isolated from the VLANs

The Pi-hole is installed in its own hardware ? And where ?

Most people just use uBlock Origin or similar, with all your security layer your fingerprint is probably unique. How to dill with this ?

Wifi network could be use for several VLANs ?

For personal use the requirements and electric consumption look significant.

I usually use a separate filesystem for that. By sharing data I mean when 2 people are using computer A. (Which almost never happens.) Then there is a separate filesystem /Users/Shared or /data/exchange and users have read and/or read/write access to certain directories.
Not sure what you mean by sharing is unencrypted. It all depends on the system, whether FDE is used, or encryption by user account, or both.

Most of the time I just make a share available on a NAS, when people want to exchange data or have access to the same data.

No, the modem is plugged into my FW/router (OPNsense) in bridged mode.

Not sure what you mean by that, but no matter which modem I were to use, my FW/router (OPNsense) would always be the same.

A managed switch is plugged into my FW/router (OPNsense). VLANs have to be setup on the router, but also on the managed switch. You can assign which VLANs are used by which ports and which frames are accepted by which port. You can also setup dynamic VLANs. Port security is a complex topic and if you are not familiar with it, I am not sure if I am able to explain this in a few minutes. (I don't think I can.)

Yes and no. I allow inter VLAN routing in certain cases, sometimes only in one direction. But as a general principle, VLANs are isolated and can't talk to each other.

e.g. I am using Proxmox as my virtualization server. It is setup with a network bridge that is VLAN aware. I can assign my LXCs and VMs to any VLAN that is available in my network.

They're also in a separate VLAN. 2x Raspberry PIs. This is an example where any VLAN is allowed to talk to the virtual IP. But the 2 raspberry PIs are not allowed to talk to anything but port 53 of the FW/router for conditional forwarding.

I don't understand the question. These layers are transparent to the outside world.

I could use different VLANs for different WiFi devices. This is what WiFi routers internally do when you setup a guest network. But I use one VLAN for all WiFi devices. However, devices are put in groups, which have separate rules for traffic (internal, outgoing, DNAT, NAT, SNAT).

Nope. I am not using Intel, so my AMD threadripper in my Proxmox server usually runs with less than 60W.

I also use 2 UPS. Everything is plugged into those 2 UPS. 1 UPS is pulling 110W and the other around 80-90W.

One more thing I forgot. I use link aggregation (LACP 802.3ad) for all my NAS and the virtualization server.

Out of interest - did you set this all up gradually over time? Is there any automation for this, e.g. what'd you have to do should you need to set this all up from scratch?

I'm asking because I've been thinking about automating my own stuff, not nearly close in complexity as yours, and so I'm always interested to hear how others with more experience do it.

I did a complete network re-design 1.5 years ago. At that time I still used a DSR-250 router/fw, but ran into several issues because of limitations. Thus I set up my own mini-PC with OPNsense:

OPNsense-fw1920×1052 169 KB

I also replaced my managed switch after 6 months, because I ran out of ports. Automation for HW network components is usually only available in the enterprise market. However, I backup the configs of my switches and routers.

I also have detailed network plans (which I created with Mermaid).

When it comes to automation for VMs, I use Terraform and Ansible.

My advice is to keep things as simple as possible without having to compromise on security and fault tolerance. It's not always easy, but laying out a good plan before implementing it can save you a lot of headaches later.

Nothing really sophisticate in my local network :
One old box (modem/router/FW) from my internet provider
Two wifi extender (I don't really use them now)
Several devices (some possibly with security issues)

In my personal computer :

• FDE with VeraCrypt
• Windows 10 and Simplewall FW (the download is less than 1 megabyte )
• Browsers :
  1. Firefox hardened with Arkenfox (I use it now instead of Firefox Profilemaker), addons Privacy Badger, Privacy Redirect and uBlock Origin
  2. Ungoogled Chromium portable (same addons)
  3. Edge Chromium (rarely used)
• VirtualBox for testing and recently sandbox to protect windows VM
• VPN app in devices (but not quite sure of the effectiveness)

I plan for my future steps (I hope without the need to hire a sysadmin ) :

• my next notebook with Linux as main OS, and several VMs (depending the use Online/Offline, windows app…).
• for local network something to isolate properly insecure devices (maybe just a new internet box provider with guest option)
• firewall in mobile device

In this case I suggest you have a look at framework (DIY edition) and Cubes OS.
If I switch away from macOS (which is getting more and more probable and thus rather a question of when), I'll go with this setup.

Yes I hesitate between Proxmox as workstation and Qubes.

Windows has an advantage over Linux, most hardware are certified for Windows only. I’m interested in Qubes OS too, however I think it’s a choice to take with care. Hardware requirement are hight and I’m not sure if this OS is mature yet. Their certified hardware are a bit small for me. I need some comfort, numpad and screen size between 15-16”.

I don't understand what you are saying. Why does it have to be certified? These certification stamps are basically BS.

Look at the HDMI standard. Even though you have certified cables and devices, they still manage to screw up initialization and proocol negotiation.

Seriously, did you ever sue a company that was on a HW compat list when something did not work? If yes, did you win?

I mean, I never been with a new computer and the web cam, trackpad or scanner out of service on windows, because all manufacturers produce drivers tested for Windows.Nop, I never sue a company

I think it’s harder for devs to code a driver instead of the manufacturer.
If I need Linux as main OS I will probably use a list like this.
Unfortunately the fact is Linux is used at 2,09 % worldwide.
e.g. I can’t run Fedora in two computers, in one windows 10 work well.

I have never sued a company for something not working, even though being on a compat list, either.

I am just saying that such lists are useless. Yes, chances are good that all will work, but it's not the first time I've seen that it didn't.
In such a case none of these companies will fix it. They just tell you it's "bad luck" and blame other components.

Another example: look at ECC RAM. Most motherboards don't support ECC (in the consumer market) and if they do, it also depends on the CPU. And in many cases the ECC support is inofficial and/or not tested.
However, ECC is crucial for ZFS. It is not easy to build a server that uses ECC RAM.

If you don't believe me, please tell me which mATX board (with 8x SATA III) and which AMD processor (not Threadripper or Epyc) supports ECC, and which ECC RAM.

Onboard graphic would also be great. It doesn't have to be fancy, only required for debugging boot issues and installation of an OS. I mentioned onboard graphics, b/c I couldn't find anything that would work with ECC. Although this is not that important, since a cheap GA does the trick. (Thus you can ignore this paragraph.)

P.S.: "useless" is maybe the wrong word. Compat lists are not a guarantee that all will work. It also does not mean that something will not work, when it is not on that list.

I'm in the very beginning of this

may I ask, why are you not using TrueNAS SCALE as you ZFS.