On 2022-03-22 16:13:47+0100, ??ukasz Moska??a <l...@lukaszmoskala.pl> wrote:
> Dnia Mon, Mar 21, 2022 at 08:22:36PM -0700, Eric Thomas napisa??(a):
> > Hello,
> > 
> > I'd like to learn about secure networking (PKI, x509 certs, DNS, IPS, etc.)
> > and generally
> > harden my home network using OpenBSD. Can I use OpenBSD services AND have
> > it act as a desktop workstation on the same machine?
> > Ref:
> > https://superuser.com/questions/1712101/openbsd-home-server-workstation-on-same-machine
> You CAN do that, but you shouldn't.
> You should run as little services on firewall as possible. Let's say that 
> there's bug in browser, that causes machine to hang up. Now, because your 
> browser had bug, your whole network is down, untill you do hard reboot.

OpenBSD's reliability seems to make this very unlikely.  Still a valid
point, but to be balanced for your needs.  I guess there could be
hardware issues triggered by a browser? 

> If someone could exploit bug in browser to gain root access (not very likely, 
> but still), attacker could see traffic from your entire network, not just 
> your workstation.
> Less services running on firewall means smaller attack surface. Best practice 
> would be to run only network-related services, like DNS, DHCP, VPNs, IDS/IPS 
> on firewall, and keep everything else away from it.

True there is a smaller attack surface on separate machines, but more
other costs (machines to deal with, at least).  OpenBSD's 
mitigations (code auditing, pledge/unveil, and the best track record
I have ever heard of in a general-purpose posix OS, etc), plus some other
things you can do (which I am learning more about now) to limit what 
browsers can do to other apps in X, & maybe putting a umask of 0077 
in the /etc/profile (but with an exception when running pkg_add), 
make this less likely enough that using a single machine might be
worthwhile for you overall.  Especially if learning is the goal, and you
are not supporting a huge expensive enterprise or some such.  

Having an extra machine to test upgrades on before doing it in
production can be useful.

The other points made (which I didn't quote) could be valid for you.

Just $.02.

Reply via email to