not a chance with wifi

said networks are esentially disjoined from the internet and available to allowed people.

you can build a lan with port security and possibly pile up some vpn to a central host while forbidding everything else at the switch level.

if you are after wpa3, that is basic enterprise grade security. you can enforce 2 factor or one time passwords in the radius. or both.

it'd actually be client certificates.

also, no, no ports are being forwarded here.

I don't want them to be able to access the network remotely.

I want to inshore they have to be in the office if they want to access anything.

they cannot be, say, inside their house or coffee shop.

also yea my guess is that the wifi router would not connect to the internet, as in no internet connection at all. it'd all be local. matrix for encrypted messaging and calling and file sharing, and….that's about it.

i means port sec like in 802.1X.

what you describe is rather basic security with just no internet access.

as long as you have wifi and outside messaging, the remaining attack vectors are signficant though total internet isolation will make them difficult to exploit.

irl, that does not prevent ransomware or other malware to spread but will make most zombies programs unable to make contact with the attacker.

I see. obviously I will do port security too.
also, I will make sure to do client isolation in order to make sure clients can't talk to each other.

might also have a few canaries as honeypots sitting around to detect for potential hacks.

but I think I'll  manually  approve devices that I already connect to the network, as in they can't access unless I actually go in and say hey it's ok for you to access the network.

that is a lot of work for little benefit. hacking wifis is very real and there is no such thing as allowing devices. mac addresses can be spoofed. likewise the systems you run are probably much more vulnerable than the lan if they leave the building.

if you want safe, make it wired, preferably fiber, add port auth, encrypt all transfers possibly with a local vpn and make sure the devices do not leave the building. if possible, make these devices read only and use some kind of otp allng other means for auth.

it is my belief you probably do not really need that kind of security and had better focus on authentication and secure systems.

feel free to elaborate but if you are running a windows domain, you probably have much more pressing issues.

no, i'm not running a windows domain.

also, yeah, the computers will actually be mounted to desks.

also, what use would a VPN come in handy if it's not connecting to the internet? you're connected on that network, right? or is there something I am not seeing

but I do have to get management sourted in terms of device management, though i'm not sure on how I would do that with an air gapped system in a secure manner.

I also want to be able to let the computer encrypt files using something like veracrypt.

also good idea, read only sounds good.

also yeah OTP is not a bad option. probably TOTP.

o, and I don't want them to be able to, say, plug in a USB stick and be able to take files out.

in that case, the vpn essentially acts as an extra auth layer in case the physical network gets compromised. it also allows much better auth schemes such as a key + some otp possibly combined with an actual pwd. i would recommend this approach for a safe wifi. that may be overkill with a physical lan and port security.

 it also allows to isolate devices at the switch level while still allowing them to communicate through the vpn if that is desired without bothering to setup a different lan per host. otherwise isolating at the switch level breaks communications to the same lan and routing cannot kick in.

you can also trigger alerts on any network activity beyond vpn traffic which can quite easily act as an early warning.

obviously no usb at all. the main issue is not taking file out but rather importing viruses or rather rootkits. you need to physically block the ports of at least disable them in the bios. the real pita here is mice and keyboards are usb nowadays. back in the days, for hat kind of security, you would solve the issue by gently unplugging and locking cases or occasionally with a hammer or a large screw driver and much less delicacy. and use ps2 devices. pretty sure many of the military still do that.

nowadays, you can probably stick the whole cases in some locked drawer.

envrypted drives will help in case of theft and make no difference otherwise. working remitely on some server so the files never reach the machines also makes sense. for air gapped, i like to use live distributions preferrably on read only media such as a non rewritabke cdrom

what VPN do you recommend? wire guard? openVPN? an IPSec tunnel?

also, is there a tutorial that shows how to best do this?

also yeah I will have data encrypted at rest with veracrypt.

also for intrusion prevention, i might setup a local wazuh server just in case, that might take care of it.

also there will be no working from home, office access is required.

also I think I might use something like applocker to block executable code.

as for the usb's, i'm thinking of just completely taking out the USB port and all other ports except for the Ethernet and headphone jack ports.

and what live distributions would you recommend? tails OS?

i would not recommend any specific vpn. actually some authenticated socks proxy or the one builtin with ssh can do the trick. openvpn, tinc… there is no need fof a tuto. the docs are plenty and there is not much to figure out.

veracrypt and app locker means you expect windows machines. that implies a lot if you are expecting this kind of security level including the need for internet access so updates work. i believe the whole setup is vastly overkill as long as you want to run windows or any major linux distrib.

as far as distribs go, i would prefer to build my own avoiding dbus, udev, mdns, systemd and other bloated crappy impossible to audit stuff. you can work something out from antix (with dbus) or void or alpine or run your own linux from scratch. that really depends on what you want to provide in terms of usability. i have not audited tails os but i can take a quick look if you want. just a quick look, though. knoppix also makes sense assuming you check there is no systemd and pick an earier version if it does.

i have zero trust and find very little usefulness in most ids systems. i do not know wazuh at all.

taking out usb ports leaves the keyboards and mice issues unfortunately unless the hardware supports ps2 which is rare nowadays.

o. I thought you said you'd recommend live distributions

<for air gapped, i like to use live distributions preferrably on read only media such as a non rewritabke cdrom>

also yeah please do take a quick look, it looks secure

i would rather create my own.

although tails goals look nice and possibly inspiring, my level of trust regarding early versions is limited (and i do remember taking a look) and my level of trust regarding current versions is basically nil. and i did not dig. among other issues : this dragged way too much attention in the past years and feature way too much to make it auditable.

but really that depends on what you are after.

depending on what you need, some kernel + basic 50 line init + vpn soft + an sdl based vpn  client could be more than enough.

hmmmm.

also I plan to load something called coreboot on top of heads, where there will be a special hardware device with a cryptographic signature and you need to plug that device in. if the device/end user device matches the key, it's good and if not, that's a sign someone tampered with something.

coreboot is more or less an implementation of an efi bios if memory serves right. that already comes with your hardware. you can just add yoir kernel signature to some existing bios. which does not even make that much sense in your case as port sec will trigger on any existing os as soon as it is plugged in anyway

yea. but I'm not talking about the network level. I'm talking about the computer itself

sure. but coreboot requires quite a lot of work. i would not make that my primary focus nowadays on regular hardware. you beed much more control at the os level….

yeah, it's just a layer I guess.

and btw, I think I will either use yubikey or nitrokeys for authentication and logon as they seam like secure options.

also i'm curious as to weather I should have a HSM as part of my configuration. I think I will use yubihsm.

i'm definitely not using a cloud provided HSM like Amazon's cloud HSM because technically that is software based, you're not deploying it at your own hardware, which completely defeats the purpose of HSMs all together

coreboot is not just another layer. it is a replacement for an existing layer. actually hardware vendors can totally use it.

yubikey, local ca… makes sense imho though i woukd keep at least one layer fully under control.

hmmmm. I see.

so I'm gonna prevent using a windows system (because that's clearly secure right) (not) and I will use Linux.

I think I will use either the Linux versions of veracrypt, or the Linux unified key setup.

definitely will have file encryption there.

either that, or I can consider using cubes for some computers that need compartmentalization .

I will have port security via client certificates on yubikey, and a onetime password.

the USB port will be disabled, and I will program Linux to not execute executible code.

o, and i'll have a VPN for a second layer of network authentication.

I think I might also wonna modify the SE host file (if Linux has one) and, justi n case it (somehow)gets onto thep ublic internet, can't do anything.

I might even add something like disa stig for ferther security

https://public.cyber.mil/stigs/

i'll probably use a local management server, like a local samba, to manage the computer itself via Linux.

I think i'll also add a zero-trustm oddly and say that the VPN session can only last for, I don't know, 1hour.

also, I'll have an air gapped cloud server with nextcloud where all the files can be end to end encrypted. I haven't decided weather it'd be by end to end encryption via the nextcloud client itself, or putting an encrypted file down there.

and keys will be stored either on a yubikey or a HSM, I haven't figured that one out yet.

for instant messaging, i'll run matrix sinapps and for encrypted email, i'll have thunderbird running on a/mime encryption via a trusted certificate.

hopefully this will be enough to duplicate this project.

if you are going to run linux or some other nix system, i would advise against using some proprietary stuff such as verycrypt. there are much easier and better supported ways to encrypt drives. like just turn on encryption in btrfs or zfs. note said encryption is essentially moot unless the decryption key stays with the user and is pulled away from the computer when he/she leaves and the computer powered off.

disabling usb at the os level only offers limited protection as microcodes get executed whenever you plug devices in. usb can push drivers internally to cope with hubs and unexpected hardware. it will successfully prevent plugging some stoage device, though.

no idea about stig but in case that was unclear air gapoed systems are not compatible with vendor black boxes or rather these defeat the initial goal.

remote management through samba is not a thing and additionally undesirable if it worked. that jyst adds more expisition and more room for lateral movements.

both vpn sessions and computers can be shutdown (or locked and encrypted drives unmounted) on inactivity rather than after some annoying timeout.

note that just blindly encrypting everything you can achieves little to nothing in terms of security which needs to be comprehensive.

 as an example of the user side of being comprehensive, encrypting a data drive allows to unmount said drive when the computer is locked or rather after a sane timeout so your user can take a short break. people occasionally pee and like to find their work when they come back. instant unmount might result in people sticking a paperweight on their keyboards to keep the computer active during their breaks. encrypting the whole system achieves nothing useful. in the end, if the computer is properly locked, an intruder would likely stop the computer to take it away or pull out the drives so you probably had better not bothering with unmounting altogether.

s/mime encryption means a local ca needs to be available. i am unsure bothering with email at all makes much sense in air gapped systems. i woukd probably prefer some webmail with client side pgp or s/mime decoding.

once more i do not know your project goals but you probably do not need military grade security and although talking is nice, there is so much you can do and your focus is very likely diverted into rather unrealistic things compared to the actual use case. as an example, external email on air gapped systems is hardly a thing and entirely incompatible with the use of some local client.

no, there will be no external email.

and yes, obviously there will obviously be a local CA available.

also, veracrypt is open source.

and I might have the user  maybe, I don't know, keep the key in , say, an office locker where it can be locked and unlocked with a key or physical lock.

also, as said before, there will be no computer leaving the building, it's going to be mounted to a desk with strict security requirements.

I might even go a step ferther and mount it in a Friday bag/cage.

also, yeah webmail is good, but I don't know if I trust in-browser cryptography.

but yes there will be a local CA available, that's pretty easy with something like libreSSl (would rather not use openssl).

keys will be preloaded to a HSM though for security, and won't be kept on system.

also, how would you suggest managing the server at a local level?

correction, faraday cage, not, Friday, cage

the point is not only about closed source. it us about ability to install in non major distribs, auditability oc the soft, auditability of your distrib.

keeping the keys in the office us imho entirely idiotic. the whole point of at rest encryption is protection against physical intrusions. 

sticking computers in faraday cages does not help reading the screen conveniently and the screen or rather screen cables are the main leak. the whole building often acts as the faraday cage in such cases.

you can trust in browser crypto as much as any other. did you read tbird's and openssl or whichever alternative crypto lib you use ? same same

management is a vast question. i like computers to either pull their (signed) configs and scripts periodically from some location or rather make them entirely unmanaged. secure sysytems that use read only disks do not need to be managed remotely. they need the media to be recreated from time to time.

I see.

in that case, I will have the user take the key home and (hopefully) not lose it, if the ser is supposed to be in control (if that is what you mean by the user must have control of their own key).

also right then, that eliminates the faraday problem.

and by read only disks, are you talking about like live ram only based systems? that could work too.

or are you talking about read only as in, OS, file system, etc.

also I must ask, in the hopefully rare and not having to happen event that there is a computer n this network has to leave the building, what can I do to protect while it's off campus? hopefully this doesn't have to happen, but….who knows?

if the disk is read only and there is no data, nothing much can happen.

if the system is limited and cannot access the network and has no usb ports, the risk is limited but you can never avoid someone threatening the user into granting access to the stored data w/o encryption

not sure what you are after here

clarify that last part.

and i must ask, where is the best place to get a read only disk? is there a certain brand or number of brands? also, the USB ports are gonna be physically disabled via bios

alright, so I had an idea on where to get a read only disk.

this one is also encrypted.

https://apricorn.com/aegis-secure-key-3

it has a read only mode too.

“The two Read-Only modes are as follows: Universal Read Only is set by the admin from within the admin mode and can’t be modified or disabled by anyone but the admin. The second read-only mode can be set and disabled by a user but can also be enabled or disabled by the admin as well.”

wonder if this would be good to keep the data on

get a read only disk : no brands. if you want the media read only, grad a non rewritable cdrom.

old diskette drives had a physical write lock but unfortunately, the industry removed these.

most of the time, mounting the disk read only is good enough though that totally depends on the situations.

i do not know or trust these specific aegis devices. those are just the kind of industry hoax that solve usually non existent issues.

physically disabled via bios : that is not physical. bios is software. that is still much better than disabling them in the operating system, though. obviously password protect the bios access.

you are asking way to many unrelated questions and i have no idea what you are after. you need to grasp ideas and fit them to your needs. not just pile in a number of random software that boast about security while they may or may not achieve anything. nothing is “secure” unless there is a context.

yeah, but i'm not sure where to  buy a read only disk.

unless, there is one on Amazon or something.

I did find this one, but I don't know if it's read only.

https://www.flexxon.com/read-only-mode-rom-usb/

or can I just take any random cd and turn it into a read only disk?

any non rewritable cd is read only once you bun something on the disk. the media itself is write once.

and you can always use a distribution that loads in ram. it can even lack disk drivers. maeginally less safe but significantly easier to maintain.

hmmmmm.

no, the computers OS won't run in ram.

though i'm debating on weather I should have the local server for running matrix sinapps, internal email, and VPN run on ram.

no idea about matrix and sinapps but the other 2 can totally run from a ram based dist.

with tiny dists, you end up running in ram essentially anyway as everything is cached after a few seconds. you just lack the additionnal security.

I guess the ram is for if we want to erace anything and we feel we are being attacked, that way we can immediately stop the server right then and there…

absolutely not. erasing stuff because you are being attacked is for movies. both unrealustic and useless. the point of ram based systems in terms of security is they do not need to access the disk after boot so the disk can be isolated. you can just reboot and go back to a pristine state any time. if you believe ypu are breached, you just pull the plug. in this case, you can just restart the machine without bothering too much.

yea I guess that is true, as they might as well already have the data if they had successfully bypass security.

I guess then it's best to just use a bear metal server.

btw, what server operating system do you recommend? or does it matter?

really that depends on the situations. if there was an obvious superiority, there would be no alternatives. i like bsd systems but i use linuxes was more often. i like to avoid using the same os for reverse proxies and production servers. but there are contraints to running mixed platforms.

there is no relation between this discussion and bare metal vs virtualized systems.

aw.

i'm guessing I can run pretty much everything on bsd operating systems as I can on Linux.

I might have either openBSD or hardenedBSD

do as you see fit. i cannot spout random advice without context.

this is actually a research project to try to make a network similar to the department of defense. probably should've gave that context earlier, but my gole is .to try to make a system similar to the department of defense classified siprnet network.

so military grade security

[here is what siprnet is](https://en.wikipedia.org/wiki/SIPRNet)

from wikipedia

"The Secret Internet Protocol Router Network (SIPRNet) is "a system of interconnected computer networks used by the U.S. Department of Defense and the U.S. Department of State to transmit classified information (up to and including information classified SECRET) by packet switching over the 'completely secure' environment".^[1] It also provides services such as hypertext document access and electronic mail. As such, SIPRNet is the DoD's classified version of the civilian Internet."

basically I want to make a 1-networked version (I don't need multiple networks) version of this system.

i believed you had mixed up stuff initially given your follow up questions. i am unsure how to help you : these kind of networks are essentially about strong redundancy, spitting connections over multiple routes, hiding useful traffic in constant random byte flows, isolation… most of what we talked above is not really relevant. i have no idea what a 1-networked version is supposed to mean.

sirpnet and arpanet are basically ancestors of the internet. their work produced bgp among other things and probaly tcp or at least some improvements. the military have definitely gone way beyond simple redundancy which was the primary goal.

1networked basically means that I do not need an interconnected set of networks,  I only need 1…

the whole point of such networks is interconnection and the ability to use and select different paths to the same destination dynamically. i strongly suggest you find yourself a goal that is a better fit for your current level of understanding or at least study some routing protocols before you try your own ideas or to copy the DOD. the guys are exceptionally good and have been working for decades. we discussed many things. i believe you have a lot to work on. expecting to reproduce something you read about on wikipedia without understanding much beyond the fact it is impressive will imho not lead you anywhere. what can be done locally has no relation to what you are asking about and way beyond what you can handle without some significant regular networking experience. start by reading and experimenting until you clearly know what youn are asking about.

this actually kinda reminds me of tor in a way….except the nodes are owned by the military.