Comment on How do I host Jellyfin in the most secure manner possible?
skizzles@lemmy.world 1 week agoJust out of curiosity, why is your network not a trusted party?
You could start with an additional firewall and maybe setting up traffic restrictions on it to mitigate what devices can communicate with each other, in addition to setting up a local VPN.
Yes its possible to spoof mac addresses and such but it really sounds like your concerns could be mitigated by having a more secure network setup.
If your network isn’t a trusted party then you need to start there. Why isn’t it a trusted party and what do you need to do to secure the traffic to/through it.
Charger8232@lemmy.ml 1 week ago
Part of my threat model is essentially “anything that can connect to the internet poses a security risk”. Since networks are the literal gateway to the internet, it is reasonable not to trust them. Routers don’t run as secure operating systems as Qubes OS, secureblue, or GrapheneOS. If a malicious party found a way to connect to the network, all unencrypted activities can be intercepted. If the router itself has malicious code, any unencrypted traffic can be sent to a third party. Those are just the basics, but trying to put band-aid solutions on a fundamentally broken system is a losing battle.
GrapheneOS distrusts networks as much as possible, so I do too. Even if I own the network, I am not a network engineer, so the chances of fault are high. In the simplest case, the network is a gateway to all activity that happens on the LAN, and it only takes one zero day to make that happen. The best mitigation is proper encryption and no self-signed certificates (where possible).