Ok, I see a lot of network separation, and silos. That’s a good start. But then I see appliances as router, or physically connected networks, and that’s a shame. Firmware vulnerabilities are among the most searched and used on the net.
Why ? Because appliances / closed systems are hard to analyze, monitor and update. You basically put a black-box you know nothing about at the center of your system. If you think “a lot of people runs it, so it’s fine”, the recent CCleaner targeted malware attack, or the NSA intercept & patch switches before delivery, should have warned you never to trust a system you don’t have full access to.
Manageable switches and vlans are only a way to segregate a bit between multiple devices that all are considered at the same level. it’s mostly a convenience utility. Eg, usual phone, camera to monitor the baby, tablet and other non-secure devices.
If you want real security, that must be 2 physically separated networks.
About the firmware, it’s the same for your bios. Even if you do gold-images and checksum, you can never trust the AMT or any low-level that can hold an APT: disk firmware, bios, tpm…
I’d rather use a software encryption and lose a few cpu cycles (that are optimized by recent cpu extensions anyway) than a vendor-custom implementation, where I won’t be able to recover / reread my medium if the controller crash. So for my Linux hosts, Luks is my way to go.
For all the IoT/IoS (Internet of Shit) they shouldn’t even have access to internet. If you really need to, log all DNS queries, and http-proxy MitM with tls-bump all shitty stuff for later analysis.
If you can’t afford 2 internet connections, or want to do fail-over, ensure your secure connection is a VPN-Only between your trusted secure devices, and a dedicated server on the internet. Null-route anything else on the router and log it.
All security related stuff must be self-hosted. My selection of self-hosted tools are :
- System : Gentoo + catalyst. Remove all unused feature from tools and kernel (reduce surface attack).
- Health : netdata + prometheus.
- Logging : Linux Auditd + rsyslog + greylog + hindsight.
- Communication : Matrix / Riot / Mail
- File and data : OpenZFS + encryption + send/receive on external host (parents), Nextcloud for filesync and share.
- Identity : LDAP + Kerberos (might consider migrate to FreeIPA). That’s also called GSS and well-managed by most enterprise-class application (at least, implemented by curl and ssh, so you can use the 2 most important ports: 22 and 443).
- Analytics : piwik, superset
- Web : mostly PHP-7.2 fpm + nginx tools + letsencrypt.
- Perf analysis : opengrok + compiler explorer (+ usual unix tools).
I certainly forgot a lot of things to say there, but I’m running out of free-time… I’ll be back sooner or later