Re: OpenBSD Home Server + Workstation on same machine?
On 3/21/22 20:22, Eric Thomas wrote: > Hello, > > I'd like to learn about secure networking (PKI, x509 certs, DNS, IPS, etc.) > and generally > harden my home network using OpenBSD. Can I use OpenBSD services AND have > it act as a desktop workstation on the same machine? > > Ref: > https://superuser.com/questions/1712101/openbsd-home-server-workstation-on-same-machine > > Thanks, > Eric Secure networking - Consideration: Defense in depth - If your services machine is compromised, what will be exposed? A server machine and a desktop machine are different roles, with different requirements. Mixing both in one machine can be done but you may not learn as much. I sent a message to the list in December describing my approach (covering 3 years) - May be interesting reading: https://marc.info/?l=openbsd-misc=164058491013379=2
Re: OpenBSD Home Server + Workstation on same machine?
ti 22. maalisk. 2022 klo 5.25 Eric Thomas kirjoitti: > Hello, > > I'd like to learn about secure networking (PKI, x509 certs, DNS, IPS, etc.) > and generally > harden my home network using OpenBSD. Can I use OpenBSD services AND have > it act as a desktop workstation on the same machine? > Hi, My answer is no and yes. This is based on the laziness factor. No part is that sometimes the services may work locally OK but not work from the network. Also it is much nicer to work from the sofa with a laptop and not listen to the server making its noise. The yes part is that it is so nice to have even some real computer to surf when everything seems to be broken and the next step would be to start all over again. It is so nice to start xenodm, login and surf to find the solution to the problem and fix it. if some part of the network configuration is still working. Best regards, Hannu Vuolasaho
Re: OpenBSD Home Server + Workstation on same machine?
On 2022-03-22 16:13:47+0100, ??ukasz Moska??a wrote: > Dnia Mon, Mar 21, 2022 at 08:22:36PM -0700, Eric Thomas napisa??(a): > > Hello, > > > > I'd like to learn about secure networking (PKI, x509 certs, DNS, IPS, etc.) > > and generally > > harden my home network using OpenBSD. Can I use OpenBSD services AND have > > it act as a desktop workstation on the same machine? > > Ref: > > https://superuser.com/questions/1712101/openbsd-home-server-workstation-on-same-machine > > You CAN do that, but you shouldn't. > You should run as little services on firewall as possible. Let's say that > there's bug in browser, that causes machine to hang up. Now, because your > browser had bug, your whole network is down, untill you do hard reboot. OpenBSD's reliability seems to make this very unlikely. Still a valid point, but to be balanced for your needs. I guess there could be hardware issues triggered by a browser? > If someone could exploit bug in browser to gain root access (not very likely, > but still), attacker could see traffic from your entire network, not just > your workstation. > Less services running on firewall means smaller attack surface. Best practice > would be to run only network-related services, like DNS, DHCP, VPNs, IDS/IPS > on firewall, and keep everything else away from it. True there is a smaller attack surface on separate machines, but more other costs (machines to deal with, at least). OpenBSD's mitigations (code auditing, pledge/unveil, and the best track record I have ever heard of in a general-purpose posix OS, etc), plus some other things you can do (which I am learning more about now) to limit what browsers can do to other apps in X, & maybe putting a umask of 0077 in the /etc/profile (but with an exception when running pkg_add), make this less likely enough that using a single machine might be worthwhile for you overall. Especially if learning is the goal, and you are not supporting a huge expensive enterprise or some such. Having an extra machine to test upgrades on before doing it in production can be useful. The other points made (which I didn't quote) could be valid for you. Just $.02.
Re: OpenBSD Home Server + Workstation on same machine?
Dnia Mon, Mar 21, 2022 at 08:22:36PM -0700, Eric Thomas napisał(a): > Hello, > > I'd like to learn about secure networking (PKI, x509 certs, DNS, IPS, etc.) > and generally > harden my home network using OpenBSD. Can I use OpenBSD services AND have > it act as a desktop workstation on the same machine? > > Ref: > https://superuser.com/questions/1712101/openbsd-home-server-workstation-on-same-machine > > Thanks, > Eric Hi Eric, You CAN do that, but you shouldn't. First of all, you most likely overestimate how much resources you need. I used to run pfsense with snort/suricata (can't remember which one) on 3rd gen dual-core i3. You should run as little services on firewall as possible. Let's say that there's bug in browser, that causes machine to hang up. Now, because your browser had bug, your whole network is down, untill you do hard reboot. If someone could exploit bug in browser to gain root access (not very likely, but still), attacker could see traffic from your entire network, not just your workstation. Less services running on firewall means smaller attack surface. Best practice would be to run only network-related services, like DNS, DHCP, VPNs, IDS/IPS on firewall, and keep everything else away from it. Using openbsd as wifi access point is possible, but depending on your network card, it may work well, may work somewhat good, or may not work at all. If you have wifi card laying around, give it a try. If you don't have wifi card laying around, I'd recommend getting seperate AP, as that will give better results. If you want to buy wifi card specifically for openbsd, check in manual if it's supported at all, and if it can work in hostap mode. In my expirience, servers aren't usually a good workstations, as they have crappy GPUs, so for example using web browser may be laggish. Now, why don't you just use your server as a firewall, and use your laptop as a workstation? You can get USB SSD and install openbsd to it, so that it's easy to dual-boot. Also, you could virtualize both workstation and firewall, alongside each other. Keep in mind that to get good graphics performance in VM, you need to allocate entire GPU for it(and then you need another for host, usually integrated will be enough). So beside second GPU, to do gpu passthru, you need CPU that supports VT-d and hypervisor that supports pci passthru (vmware esxi, linux kvm, xcp-ng should work). It's possible, but it's probably the hardest option, and I wouldn't recommend it if you are just starting out. So, all things considered, easiest option would be to use server as firewall, then dualboot laptop as a workstation, or get a cheap second-hand PC. Kind regards, Łukasz
OpenBSD Home Server + Workstation on same machine?
Hello, I'd like to learn about secure networking (PKI, x509 certs, DNS, IPS, etc.) and generally harden my home network using OpenBSD. Can I use OpenBSD services AND have it act as a desktop workstation on the same machine? Ref: https://superuser.com/questions/1712101/openbsd-home-server-workstation-on-same-machine Thanks, Eric
