22 posts tagged with "security"
Running Suricata as more than a noisy alert firehose. IDS versus inline IPS modes, AF_PACKET and NFQUEUE deployment, ruleset management with suricata-update, and the threading and tuning that keep it from becoming the bottleneck.
A two-peer WireGuard tunnel is trivial; a full mesh of dozens of nodes is a different problem. The n-squared key challenge, AllowedIPs as a routing table, keepalives for NAT, and running a dynamic routing protocol over the mesh instead of static routes.
iptables is legacy; nftables is the replacement that has shipped for years. Tables, chains, hooks and priorities, stateful matching, and the sets and maps that make nftables both faster and far more readable.
Network access control on the wired enterprise edge. 802.1X with MAB fallback, dynamic VLAN assignment from RADIUS, and the fail-open design that keeps the office working when the RADIUS server is unreachable.
The four MANRS actions turned into real config. Building prefix filters with bgpq4, enforcing AS-path sanity, deploying BCP38 anti-spoofing with uRPF, and keeping your PeeringDB and IRR records honest.
Origin validation only works if your routers have fresh, trusted ROA data. How to run Routinator, feed it to BIRD, FRR, and IOS-XR over RTR, and roll out invalid-dropping without blackholing yourself.
How an internet exchange route server actually works, and how to build one with BIRD 2. Transparent AS_PATH, per-client filtering, RPKI validation, and the BGP communities members use to control who they peer with.
Build a production-ready IOS-XE edge router. Covers secure management, IP SLA tracking for real failover, logging configuration, and common mistakes that break production.
Debug SRX policy issues when traffic flows wrong or NAT fails. Covers zone chain, policy hit counters, flow trace, and the top 5 reasons policies never match.
Implement NAT session logging on VyOS. Covers connection tracking logs, log analysis, compliance requirements, and why NAT logs are essential for troubleshooting and legal requirements.
Understand BGP FlowSpec for traffic filtering. Covers FlowSpec rules, BGP distribution, rate limiting, and why FlowSpec enables network-wide filtering from a single point.
Implement RTBH on VyOS for DDoS mitigation. Covers blackhole routing, BGP communities, triggering procedures, and why RTBH sacrifices the target to save the network.
Implement basic DDoS protection on VyOS edge routers. Covers rate limiting, connection limits, SYN flood protection, and why edge mitigation buys time for upstream solutions.
Configure VyOS with RADIUS and TACACS+ for centralized AAA. Covers server setup, failover configuration, command authorization, accounting, and why central auth is non-negotiable at scale.
Configure VyOS user management properly. Covers local user creation, SSH key authentication, privilege levels, password policies, and why root password should be disabled.
Using VRF on VyOS for network isolation that goes beyond VLANs. Covers VRF creation, inter-VRF routing, route leaking, firewalling between VRFs, and maintaining a clear mental model of your segmentation.
Real-world BGP route validation using RPKI and IRR on VyOS. Covers validator setup, policy storage, prefix validation workflow, and why filtering is a process, not a single configuration.
Configuring reliable IPsec site-to-site VPNs on VyOS. Covers IKEv2 setup, NAT traversal, dead peer detection, rekeying, and systematic debugging when things go wrong.
Complete WireGuard setup on VyOS covering site-to-site tunnels, mobile clients, kill switches, split vs full tunnel, and the two things that make WireGuard stable: MTU and routing policy.
Building secure multi-tenant Proxmox environments. Covers RBAC configuration, resource pools, API token management, audit logging, and why access control is a product that requires design.
Practical guide to choosing between LXC containers and VMs on Proxmox. Covers performance differences, security boundaries, use cases, and why containers offer speed but not always isolation.
Essential Proxmox security hardening after installation. Covers user management, SSH key-only access, host firewall configuration, automatic updates, and why security is easier to implement now than later.