As the title says, I want to know the most paranoid security measures you’ve implemented in your homelab. I can think of SDN solutions with firewalls covering every interface, ACLs, locked-down/hardened OSes etc but not much beyond that. I’m wondering how deep this paranoia can go (and maybe even go down my own route too!).

Thanks!

  • MigratingtoLemmy@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    9 months ago

    Would you have to compromise on your security according to your threat model if you ran VMs rather than dedicated devices? I’m no security engineer and I don’t know if KVM/QEMU can fit everyones needs, but AWS uses XCP-ng, and unless they’re using a custom version of it, all changes are pushed upstream. I’d definitely trust AWS’ underlying virtualisation layer for my VMs, but I wonder if I should go with XCP or KVM or bhyve.

    This is my personal opinion, but podman’s networking seems less difficult to understand than Docker. Docker was a pain the first time I was reading about the networking in it.

    Really like your setup. Do you have any plans to make it more private/secure?

    • easeKItMAn@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      9 months ago

      I used VMs some time ago but never managed to look deeper into separation of bare metal vs VMs. Hence I can’t assess this reasonably.
      Docker got me interested when it started and after discovering its networking capabilities I never looked back.
      Basically I’m trying to minimize the possibility that by intercepting one dockerized service the attacker is able to start interacting with all devices. And I have lots of devices because of a fully automated house. ;) My paranoia will ensure the constant growth of privacy and security :)