Self Hosting: Episode 0
As with all endeavors, success is not guaranteed. However, without a plan... failure is.
In this series I hope to provide instruction on how to setup and self host an environment that can provide everything necessary to function in todays connected world. While I will be simplifying setups and configurations, it is my goal that these instructions can be extended to businesses.
As with all things on the Internet, this is my opinion. I may not do things exactly as you would. That is fine. Please take this as a starting point and extend in whatever way you see fit. Now to the planning....
Segmentation Plan
Before we start creating servers, VMs, containers, etc. we need to have a quick think about segmentation. This environment can and will have all sorts of devices on it. These devices will be used for different services and have different levels of trust. For this series the following Places In the Network (PIN) will be used as a way to segment different devices.
External Segment
This segment represents the outside untrusted world. Only the firewall(s) should ever be connected to this segment. There should be a default deny on all inbound traffic.
Wither that default deny is a DROP (all traffic is just thrown away. No return traffic is ever sent) or a RETURN (ICMP return traffic is sent on bad packets) is a topic of much debate. With the DROP setup the firewall appears to be non-existent from the Internet. Only "known" communications will ever connect. However, this might slow down some services that will try to "test" for the presence of a service. If you do not know you need the RETURN response then do DROP for the external interface.
DMZ Segment
This segment will be where devices that can be accessed from outside our environment will be placed. These devices can/should be proxied in some form or fashion but since direct access to them will be provided we should separate these devices. Devices in this environment should not be able to reach back to Common Segment. Reachback to the IOT segment should require specific rules.
IOT Segment
This segment will be where devices that are IOT in nature are placed. (Cameras, outlets, doorbells, etc) Devices in this environment will not be able to reach out to the greater Internet or any other segment without explicit rules.
Common Segment
This segment will be where all other devices will be placed. Access from this segment to DMZ or IOT is generally allowed.
Other Segments
Other segments can be created as necessary. Word of caution, each segment carries with it a new IP space, possibly a new domain, and additional firewall rules and considerations on how this segment should interact with all other segments. In some cases this interaction is simple and in others it can be complex. Adding additional segments has an exponential cost. I am definitely not saying "Don't add any more segments.", I am only stating, understand the cost.
Here is a quick table that will be referenced by other episodes.
| Segment | Vlan | Bridge | Address/Mask |
|---|---|---|---|
| Common | Vlan 10 | Bridge 1 | 192.168.10.0/24 |
| IOT | Vlan 20 | Bridge 2 | 192.168.20.0/24 |
| DMZ | Vlan 30 | Bridge 3 | 192.168.30.0/24 |
| External | Vlan 90 | Bridge 4 | 10.0.0.0/24 |
Iterative approach
With this series we will touch on many topics. I will purposely limit my discussion on various topics to just the item at hand and when the time if right my come back to the topic to extend with additional items as required. As I know that people will skip around when reading the articles, I will do my best to refer back to previous articles where a similar topic was covered.
Services
Finally, the good stuff. The following services will be required to build the self hosted environment. These services can run on whatever hardware you have available. (Or virtual hardware of the cloud). How you choose to deploy these services is up to you and your budget. In these examples I will assume that all hardware an services are "local" unless otherwise specified.
List of services
- Storage - We will need some place to store our OS's, files etc.
- Virtual Machines - We will need a place to create virtual machines and services to run within the environment.
- Firewall - Perhaps the most important service (only slightly ahead of DNS). This will allow communication between the different segments.
- DNS/DHCP - It all starts with DNS. We will create a DNS environment that we can build and add onto.
- Certificates - Right behind DNS we will create our own Certificate Authority and manage our own certificates.
- Accounts - Even if this environment is only used for a single person, different types of accounts will be necessary.
- SSO/MFA - With all these accounts, being forced to login to every machine/service every time gets annoying. Setting up a SSO/MFA solution will help consolidate the authentication.
- Logging - What happens with things go wrong... and they will. We need logs.
- Email - This is what it is all about? Well not totally, but email still plays an important role with interacting with the outside world.
This is not the complete of services that we can host, but this is my list of required services that we must host in order to really host anything else.
Conclusion
Throughout this series I will be running different operating systems and software. I will endeavor to list the version used.
Now we have a plan. Success still isn't guaranteed... but we can now measure how close we came.