Equipment

Daily workstations

I have two daily drivers:

ThinkPad T430

  • OpenBSD-current (daily snap updates), with XFCE
  • Extended with a total of 16GB RAM
  • Three SSDs (main slot: Samsung 850 Pro 1TB, msata: Samsung 850 Evo 500GB, odd: caddy with Kingston A400 960GB)
  • Camera's and microphones physically removed

HP EliteDesk

  • OpenBSD 6.4-current, daily snap updates, XFCE
  • Intel i7-8700
  • 64 GB RAM
  • 1 TB M.2 SSD
  • Hooked to a Dell U2715H monitor

Homelab

QNAP NAS

  • AMD Quad Core CPU with Radeon Graphics
  • Extended with a total of 16GB RAM
  • HardenedBSD
  • 4 x 10TB WD Red, with ZFS

Server01: Dell R410

  • OpenBSD 6.3-stable
  • 2 x Xeon E5640
  • 64GB ECC RAM
  • 2 x Samsung 850 Pro 512GB, 2 x 6TB WD Red Pro

Server02: Dell R410

  • OpenBSD 6.4-current
  • 2 x Xeon E5640
  • 64GB ECC RAM
  • 4 x 6TB WD Red Pro

Network

  • Uplink: vDSL2+, OpenBSD VM PPPoE firewall/gateway, /29 IPv4, /56 IPv6. RJ11=>RJ45 via Draytek
  • Network mainly segmented in two subnets: home and work. Both firewalled (pf, suricata), home with blacklist policy, work with whitelist policy (IP and port) and only hardwired - not reachable via WiFi
  • Home WiFi via a TP-Link Archer C7, OpenWRT snapshot, 'poor mans AP' configuration. Management only via SSH
  • DNS via VM (Unbound, with adblocking)

Other

  • Guest WiFi has capped bandwith, no monitoring, no logs and adblocking on DNS level. Login with WPA2 Personal (AES), each user with an isolated VLAN.
  • All storage with full disk encryption, each client with firewall and HIPS. Central syslog/IPS logging to a VM.
  • Physical security implemented. Breaches result in an immediate power-off, thus effecting FDE.