What if you could buy off the shelf a box based on #opensource software and hardware that you could plug into your internet connection. You could connect to via Wifi and it would allow an average person to fairly easily configure, via a guided setup, a self hosted Cloud Drive, Social Media server, home automation service, VPN end point, email server and other commonly useful software?

What if that box allowed that person’s friends to authenticate and to that box and link a box they own, either close by or remotely. It could extend connectivity and estabilish a chain of trus, provide a level of encrypted backup of content from that box and make assertions about the users on that box such as - This user account is owned by this person, this user account is over 18?

This is a dream. I know I’m rambling. #openwrt, #yunohost, #seflhost, #chainoftrust, #fediverse

  • mspencer712@programming.devEnglish
    1·
    6 hours ago

    To add to Onomatopoeia’s excellent post, separate devices also limit the blast radius of any compromise. Attackers pivot when they compromise a system. They use one system to talk to others and attack them from inside your network. So you don’t want everything on the same OS kernel.

    Unfortunately I don’t feel like I’m qualified to say what works well yet, not until I have the pieces of my site put together and working, and vetted by whatever security professionals I can get to look at it and tell me what I did wrong.

    But right now I think that looks like every service VM on its own VLAN on a /30 net, and ideally the service VM and firewall/router VM serving it on different physical hardware joined by a managed switch. That managed switch shouldn’t let either VM host touch its management VLAN, and (I think, I don’t do this yet) should send monitor traffic to yet another physical host for analysis.

    (“I can see why you’re not done yet” - yeah I know.)

    • abeorch@friendica.ginestes.esOP
      1·
      4 hours ago

      @mspencer712 Yeah … though I suspect that perfect could be the enemy of the good enough. I can’t really comment - but whether its a single pyhsical device or modular - for me an integrated solution available to regular people is the key.