Security architecture¶
Current security posture¶
| Control | Implementation |
|---|---|
| Perimeter firewall | OPNsense KVM VM (caneast-site1-fw1) — DMZ active, firewall rules pending activation |
| Secrets management | Infisical (self-hosted, caneast-site1-node3:[REDACTED]) — no hardcoded credentials anywhere in repos |
| Container scanning | Grype by Anchore — Trivy ruled out (supply chain compromise March 2026 by TeamPCP) |
| SBOM generation | Syft — paired with Grype for bill-of-materials tracking |
| Host security audit | Lynis — Ubuntu security auditing on all bare metal nodes |
| Intrusion prevention | CrowdSec with Cloudflare bouncer active on peries.ca |
| Automatic patching | unattended-upgrades running on all Ubuntu nodes |
| Source control policy | Branch policies on all ADO repos — no direct push to main, PRs + linked work items required |
Threat model¶
Network zones¶
Internet
└── ISP gateway (REDACTED)
└── OPNsense caneast-site1-fw1
├── DMZ zone
│ ├── caneast-site1-jmp1 (jump box — only entry path to IT layer)
│ └── Conpot (Phase 3 — ICS/OT honeypot)
└── IT LAN (REDACTED/24)
├── caneast-site1-node2 — Docker workloads
├── caneast-site1-node3 — KVM host, Infisical
└── caneast-site1-node1 — WireGuard, PiHole, Tailscale
OT zone (physically isolated)
└── caneast-site1-mqtt1 (Mosquitto)
└── caneast-site1-ot1-snr01 (ESP32 sensor)
Principles¶
- DMZ separates internet-facing traffic from the internal IT layer
- OT zone (ESP32, MQTT broker) is physically and logically isolated from the IT layer — no route between OT and IT networks
- Jump box (
caneast-site1-jmp1) is the only entry path into the DMZ — no direct inbound to IT nodes from the internet - Secrets never leave Infisical — injected at runtime via environment variables, never written to disk or committed to repos
- All container images scanned with Grype before deployment — Trivy is banned (see ADR-0003)
- No direct push to main — all changes require a PR with at least one approval and a linked work item
Planned security stack — Phase 3¶
Conpot — ICS/OT honeypot¶
Deployed in the DMZ on caneast-site1-node3. Simulates a Modbus/S7 PLC to attract and capture real-world ICS attack patterns from internet-facing threat actors.
- Purpose: threat intelligence, attack pattern collection, SELKS enrichment
- Protocols simulated: Modbus TCP, Siemens S7
- Placement: DMZ zone — isolated from actual OT devices
- Feeds into: SELKS for traffic analysis and enrichment
Wazuh — SIEM¶
Full security information and event management platform deployed as a k3s workload.
- Log sources: all bare metal nodes (caneast-site1-node1, caneast-site1-node2, caneast-site1-node3), k3s workloads, Conpot
- Capabilities: vulnerability management, file integrity monitoring, log aggregation, intrusion detection
- Integrations planned: AD/EntraID, Azure Sentinel (Phase 5)
- Note: memory-intensive — RAM planning required before deploying alongside k3s on caneast-site1-node3
Falco — runtime container security¶
Deployed as a k3s DaemonSet. Monitors syscalls at the kernel level to detect:
- Container escape attempts
- Anomalous process execution inside containers
- Unexpected network connections from k3s workloads
- Privilege escalation attempts
Deferred — Phase 5¶
Microsoft Defender for Containers¶
Native Azure/EntraID integration for container workloads. Requires Azure subscription and AKS or Arc-enabled k3s. Deferred until cloud integration phase.
Wazuh → Azure Sentinel¶
Log forwarding from self-hosted Wazuh to Azure Sentinel for cloud-scale correlation and long-term retention. Deferred to Phase 5 alongside full Azure integration.
SBOM pipeline in ADO¶
Automated supply chain security gate in every CI/CD pipeline:
- Syft generates a software bill of materials (SBOM) for every container image built
- Grype scans the SBOM against the CVE database
- Pipeline fails on critical CVEs — nothing deploys with an unpatched critical vulnerability
Phase 6 — Red Team & Adversary Simulation¶
Purpose¶
Extend the security posture beyond detection and prevention into active adversary simulation. Validates that existing controls (Wazuh, Falco, OPNsense, CrowdSec) actually detect and alert on real attack patterns using fictional personas with deliberate misconfigurations.
Threat Persona Dataset¶
Fictional employees of CanEast Manufacturing Ltd. with documented security weaknesses. Used as test subjects for vulnerability scanners, SIEM alert tuning, and purple team exercises.
| Persona | Role | Key Risk | MITRE Techniques |
|---|---|---|---|
| Bob Tremblay | Manufacturing (30 years) | MFA exists but not enforced, password on Post-it note in drawer | T1078 Valid Accounts, T1552 Unsecured Credentials |
| Stacy Gagnon | Accounting (2+ years) | Phishing target, privilege creep, browser-saved credentials | T1566 Spearphishing, T1555 Browser Credentials, T1078 Valid Accounts |
| Marcus Leblanc | Sysadmin | Domain Admin + Enterprise Admin + Azure Global Admin, dual accounts not enforced | T1078.002 Domain Accounts, T1078.004 Cloud Accounts, T1134 Token Manipulation |
Personas are defined as YAML files in docs/internal/. High-level profiles published here for portfolio context.
Attack Surface Coverage¶
| Vector | Persona | Scenario |
|---|---|---|
| Physical credential exposure | Bob | Password on Post-it → workstation access → OT network lateral movement |
| MFA bypass | Bob | MFA enabled but not enforced → login without second factor |
| Spear phishing / BEC | Stacy | Vendor impersonation email → credential harvest → fraudulent wire |
| Browser credential theft | Stacy | Malware on workstation → Chrome saved passwords exfiltrated |
| Privilege abuse | Marcus | Daily tasks on admin account → malware inherits Tier 0 privileges |
| Full domain compromise | Marcus | Single credential theft → Domain + Enterprise + Azure Global Admin |
Planned Tooling (TBD — ADR pending)¶
| Tool | Purpose | Status |
|---|---|---|
| Atomic Red Team | Lightweight MITRE ATT&CK test scripts — runs specific techniques against the stack | Candidate |
| Caldera | Automated adversary simulation platform by MITRE | Candidate |
| Custom Python scripts | Simulate user behavior (login patterns, file access, network traffic) | Candidate |
| Selenium / AI agents | Browser-based user simulation mimicking real employee behavior | Future consideration |
Tooling decision will be captured in a dedicated ADR when Phase 6 begins.
Integration with Security Stack¶
- Wazuh — personas generate realistic alert scenarios for SIEM tuning
- Falco — container escape and privilege escalation tests
- Conpot — OT-facing attack simulation from Bob's compromised manufacturing workstation
- Azure Sentinel (Phase 5) — cloud-scale correlation of cross-persona attack chains
Tool decisions and rationale¶
| Decision | Rationale |
|---|---|
| Grype over Trivy | Trivy supply chain compromise March 2026 (TeamPCP) -- credential stealer injected into trivy-action and trivy binary at v0.69.4. Grype by Anchore used as replacement. Trivy will be reassessed when upstream resolves and community trust is restored. See ADR-0003. |
| OPNsense over pfSense | Better community support, more active development cadence, cleaner plugin ecosystem |
| Infisical over HashiCorp Vault | Lighter operational footprint, better UX for small team, self-hostable without a dedicated storage backend or unsealing procedure. See ADR-0002. |
| k3s over full Kubernetes | Same Kubernetes API surface — manifests are 100% portable to AKS/GKE/EKS. Lower RAM footprint appropriate for homelab hardware. Single binary install. |
| Conpot over commercial honeypot | Open source, ICS/SCADA-specific protocol simulation (Modbus, S7), lightweight, purpose-built for OT threat intelligence |