Thank you so much for the explanation. I followed everything but:
Untagged (sometimes called Access) is something you apply on a switch port. For example, if you assign a port to Untagged VLAN 32, anything connected to that port will only be able to connect to port 32.
I couldn’t really understand what you meant here. Did you mean VLAN 32 in the last line?
Thanks, but isn’t ARP contained inside a subnet? I guess you could find everything if you inspected the MAC table of the main switch
I see, I was completely off-track lol. But isn’t this really for a setup where each computer is connected to an individual port of the switch? I.E. this won’t work if to one port of an L3 switch one were to attach a dumb 5 port switch and plug 4 computers in
Thank you. In theory, is there a mechanism which will prevent other hosts from tagging the interface with a VLAN ID common with another host and spoof traffic that way? Sorry, I need to study more about this stuff
Thank you for the great comment.
This line cleared it up for me:
802.1q aware switch and gateway to use VLANs effectively.
It is indeed as you say. VLANs on a trunk port wouldn’t really work for security either. This is making me reconsider my entire networking infrastructure since when I started I wasn’t very invested in such things. Thanks for giving me material to think about
I see. I didn’t know about this. I have saved your comment, I’ll come back to this in a bit
Thank you for the comment.
My threat model in brief is considering an attack on my internal networking infrastructure. Yes, I know that the argument of “if they’re in your network you have other problems to worry about” is valid, and I’m working on it.
I’m educating myself about Lynis, AuditD and OpenVAS, and I tend to use OpenSCAP when I can to harden the OS I use. I’ve recently started using OpenBSD and will use auditing tools on it too. I still need to figure out how to audit and possibly harden the Qubes OS base but that will come later.
Yes, I do realise that the dumb switch has an OS. And you raise a good point. I’m starting to feel uneasy with my existing netgear dumb switches too. Thank you for raising this, I think a whitebox router build might be the only way.
I’d like to mention that I would use VLANs if I could use them on hardware and software I feel comfortable with. But I cannot. Whitebox build it is, I suppose.
Thanks again for the comment and I’d like to hear any suggestions you have.
Ah, is that something like sticky ports?
Indeed, I would like to run a switch with a FOSS OS, and I don’t see any viable way of doing that. Unfortunate, but whitebox router + switch it is then
Hmm, I haven’t heard of that before. Could you explain?
Could you elaborate why the question of trust invalidates using just subnets?
Thanks, but to make that work I would need a managed switch running a proprietary OS can I cannot trust. If there was a switch running a FOSS OS then I would use that
Thanks, yes I realised that OpenWRT devices can do this
I use testing, prod and stale. Stale is simply one version behind prod in case I see something in prod I need to roll back
I’d either have to do it in the router (which would need a lot of PCIe network cards which can get expensive + difficult to accommodate enough physical PCIe lanes on consumer hardware) or run it on a switch running a proprietary OS that I can’t control and don’t know what it’s doing underneath.
Ah, sucks
I see. But does the installation cover hardening steps like hardened_malloc, permission hardener, kernel self-protection etc?
I had looked into openstack a while back but left it thinking it was too complex. I was looking at Apache’s Cloudstack then.
I see now that a contributor has got Debian in the official list of supported distributions. Which means my distro-morphing idea should work in theory with OpenStack. This is a great idea, thanks. I will look at OpenStack more seriously now. Does look like it will need some effort though
No, I do not trust my computers that much. Quite unfortunate, really that I’ll have to build a whitebox switch to get what I want
I never considered tailscale for my LAN, but it’s certainly an intriguing idea. I suppose running Headscale as a VM on my router isn’t that difficult. Thank you, I will think about it a bit more
Sorry, I’m not sure what you mean by “ARP bridges L1 and L2”. I’ll have to read more about this. Other than that, I understand what you said.