BeyondCorpHome (1/n)
This will be a series of blogs discussing how to implement a Zero Trust Security Model at home scale.
Zero trust security is the golden standard in today's organizational network. It's a systematic approach of network and data security that allows many moving pieces in your network architecture to be untrusted while maintaining a sufficient amount of security and confidence in your data and privacy.
With the amount of connected technology we deploy around ourselves in our everyday lives, the attack surface to our personal data security has never been this big, and zero trust security model can come to rescue. While there are many traditional ways of mitigating various types of threats in home environment such as giving your non-tech-fluent grandpa a Chromebook or isolating your guest and IoT cameras to a separate VLAN, these approaches each has their own drawbacks. For example, a compromised LAN device with a misconfigured switch can lead to VLAN hopping attacks, while giving your grandpa a Chromebook for their security may not be the best idea in the future consider the removal of effective content blocker API in manifest V3 in Chrome browser. We haven't even talk about your bestie losing their cellphone running Android Oreo at a Starbucks. With all these possible problems that are hard to solve or mitigate correctly using a traditional security setup, maybe we should take zero trust model a look. I think this is the most universal way of solving all network and data security problems at home once and for all.
However, home-friendly zero trust security has its own challenges that doesn't exist in the enterprise space. You don't have trusted and robust open-source (or at least free) endpoint protection solutions to use at home (Personally I don't like this idea anyway as it's not privacy friendly and can never be a part of provable security architecture due to its nature of being a cat and mouse game). You also might not want to ask all your friends to install some custom proxy or authentication software on their computers and you still want to invite them to play on your home Minecraft server that tightly couples to your state-of-the-art copy-on-write backup service while waiting on another log4j-style code execution to be found.
In this series I hope I can lead you through the process of designing a robust and comforting (in the aspect of security) home-use zero trust networking model using only open-source software and leave you in satisfactory and peace of mind in the end.