Security architecture

Current security posture

Control	Implementation
Perimeter firewall	OPNsense KVM VM (caneast-c1-fw1) — DMZ active, firewall rules pending activation
Secrets management	Infisical (self-hosted, caneast-c1-node3:[INTERNAL]) — no hardcoded credentials anywhere in repos
Container scanning	Grype by Anchore — Trivy ruled out (supply chain compromise March 2026 by TeamPCP)
SBOM generation	Syft — paired with Grype for bill-of-materials tracking
Host security audit	Lynis — Ubuntu security auditing on all bare metal nodes
Intrusion prevention	CrowdSec with Cloudflare bouncer active on peries.ca
Automatic patching	unattended-upgrades running on all Ubuntu nodes
Source control policy	Branch policies on all ADO repos — no direct push to main, PRs + linked work items required

Threat model

Network zones

Internet
  └── ISP gateway (REDACTED)
        └── OPNsense caneast-c1-fw1
              ├── DMZ zone
              │     ├── caneast-c1-jmp1 (jump box — only entry path to IT layer)
              │     └── Conpot (Phase 3 — ICS/OT honeypot)
              └── IT LAN (REDACTED/24)
                    ├── caneast-c1-node2 — Docker workloads
                    ├── caneast-c1-node3 — KVM host, Infisical
                    └── caneast-c1-node1 — WireGuard, PiHole, Tailscale

OT zone (physically isolated)
  └── caneast-c1-mqtt1 (Mosquitto)
        └── caneast-c1-ot1-esp1 (ESP32 sensor)

Principles

• DMZ separates internet-facing traffic from the internal IT layer
• OT zone (ESP32, MQTT broker) is physically and logically isolated from the IT layer — no route between OT and IT networks
• Jump box (caneast-c1-jmp1) is the only entry path into the DMZ — no direct inbound to IT nodes from the internet
• Secrets never leave Infisical — injected at runtime via environment variables, never written to disk or committed to repos
• All container images scanned with Grype before deployment — Trivy is banned (see ADR-0003)
• No direct push to main — all changes require a PR with at least one approval and a linked work item

Planned security stack — Phase 3

Conpot — ICS/OT honeypot

Deployed in the DMZ on caneast-c1-node3. Simulates a Modbus/S7 PLC to attract and capture real-world ICS attack patterns from internet-facing threat actors.

• Purpose: threat intelligence, attack pattern collection, SELKS enrichment
• Protocols simulated: Modbus TCP, Siemens S7
• Placement: DMZ zone — isolated from actual OT devices
• Feeds into: SELKS for traffic analysis and enrichment

Wazuh — SIEM

Full security information and event management platform deployed as a k3s workload.

• Log sources: all bare metal nodes (caneast-c1-node1, caneast-c1-node2, caneast-c1-node3), k3s workloads, Conpot
• Capabilities: vulnerability management, file integrity monitoring, log aggregation, intrusion detection
• Integrations planned: AD/EntraID, Azure Sentinel (Phase 5)
• Note: memory-intensive — RAM planning required before deploying alongside k3s on caneast-c1-node3

Falco — runtime container security

Deployed as a k3s DaemonSet. Monitors syscalls at the kernel level to detect:

• Container escape attempts
• Anomalous process execution inside containers
• Unexpected network connections from k3s workloads
• Privilege escalation attempts

Deferred — Phase 5

Microsoft Defender for Containers

Native Azure/EntraID integration for container workloads. Requires Azure subscription and AKS or Arc-enabled k3s. Deferred until cloud integration phase.

Wazuh → Azure Sentinel

Log forwarding from self-hosted Wazuh to Azure Sentinel for cloud-scale correlation and long-term retention. Deferred to Phase 5 alongside full Azure integration.

SBOM pipeline in ADO

Automated supply chain security gate in every CI/CD pipeline:

1. Syft generates a software bill of materials (SBOM) for every container image built
2. Grype scans the SBOM against the CVE database
3. Pipeline fails on critical CVEs — nothing deploys with an unpatched critical vulnerability

Tool decisions and rationale

Decision	Rationale
Grype over Trivy	Trivy supply chain compromise March 2026 — TeamPCP injected a credential stealer into trivy-action and the trivy binary at v0.69.4. Grype by Anchore is the replacement. See ADR-0003.
OPNsense over pfSense	Better community support, more active development cadence, cleaner plugin ecosystem
Infisical over HashiCorp Vault	Lighter operational footprint, better UX for small team, self-hostable without a dedicated storage backend or unsealing procedure. See ADR-0002.
k3s over full Kubernetes	Same Kubernetes API surface — manifests are 100% portable to AKS/GKE/EKS. Lower RAM footprint appropriate for homelab hardware. Single binary install.
Conpot over commercial honeypot	Open source, ICS/SCADA-specific protocol simulation (Modbus, S7), lightweight, purpose-built for OT threat intelligence

References

• ADR-0002: Infisical for secrets
• ADR-0003: Grype over Trivy
• ADR-0004: OPNsense as KVM VM
• Network topology
• Roadmap — Phase 3 detail