Zero Trust for the Home Lab - An Introduction to Zero Trust and its Practical Limits for the Home Lab (Part 1)

Introduction

If you're a regular visitor to this site, you’ve probably noticed I enjoy 'messing' with security, especially when it comes to Windows. I've put a lot of effort into securing my home lab over the years, it would be a pretty tough nut to crack. But the saying goes, "Pride before a fall". Of course, I'm a realist and know full well that nothing is 100% secure and there are vulnerabilities that I'm in denial about, but it helps to hide behind layers of firewalls, WDAC, and delegation.

There’s this concept called Zero Trust Architecture; it’s intriguing, and I’ll explain what it means in a moment. But with my Home Lab in mind, I’ve been wondering, what aspects of it can realistically be implemented using consumer-grade equipment? How close can I get to that elusive state of Security Nirvana without breaking the bank or the Home Lab.

This series of articles will first explore the theory behind each of the Zero Trust security enhancements, followed by its practical implementation, the fun part. Although the theory is wordy and a bit.... boring, it's important to understand the principles and how they apply to the implementation of the tech.

The goal? To create the world’s most secure home lab. This should be entirely doable, after all, who else is unhinged enough to even try?

Zero Trust Architecture

Zero Trust Architecture (ZTA) is a security framework based on the principle of "never trust, always verify." Unlike traditional security models that rely on network perimeters, Zero Trust focuses on securing individual resources by enforcing strict identity verification, least privilege access, and continuous monitoring.

The Problem with Traditional Security Models

The Perimeter-Based Security Model

In the past, organizations secured their networks using firewalls, VPNs, and other perimeter-based defenses. The assumption was that once inside the network, users and devices could be trusted. However, this approach has several flaws:

Insider Threats:

• Employees or compromised accounts can misuse their privileges.

Remote Work & Cloud Adoption:

• Users no longer work within a controlled corporate network.

Advanced Cyber Threats:

• Attackers can breach a single point in the network and move laterally to access sensitive data.

  
  

Core Principles of Zero Trust Architecture

To successfully implement Zero Trust, organizations follow these key principles:

Verify Explicitly:

• Authenticate and authorise every access request based on multiple data points, such as user identity, device health, location, and behavior.

• Use multi-factor authentication (MFA) to ensure secure logins.

Use Least Privilege Access:

• Grant users and applications only the minimum access they need to perform their tasks.

• Implement Just-In-Time (JIT) access and role-based access control (RBAC).

Assume Breach:

• Design the network with the assumption that threats exist both inside and outside.

• Implement micro-segmentation to contain potential intrusions.

• Continuously monitor and analyze network traffic for anomalies.

  
  

Implementing Zero Trust: A Step-by-Step Guide

Micro-Segmentation and Network Security

• Break up the network into smaller, isolated segments to limit lateral movement.

• Use software-defined perimeters (SDP) to restrict access to applications based on user identity and context.

• Deploy next-generation firewalls and intrusion detection systems to monitor network activity.

• Implement IPSec to encrypt and authenticate traffic between devices, enforcing secure communication within and across network segments.

• Use 802.1X and RADIUS for network-level access control, tying access policies to user identity and device trustworthiness.

• Enforce policy-based routing and segmentation at both physical and virtual levels.

Device and Endpoint Security

• Implement endpoint detection and response (EDR) solutions to detect and mitigate threats.

• Enforce device compliance checks, ensuring only secure, managed devices can access resources.

• Use mobile device management (MDM) solutions to secure BYOD (Bring Your Own Device) environments.

• Continuously assess device posture, including OS patch levels, security configurations, and threat exposure.

Implement Strong Identity and Access Management (IAM)

• Enforce multi-factor authentication (MFA) for all users.

• Implement Single Sign-On (SSO) to streamline authentication.

• Adopt passwordless authentication methods such as biometrics or security keys.

• Continuously verify user identities using risk-based authentication (RBA), which adjusts security policies based on user behavior.

• Leverage RADIUS for centralized authentication and accounting, particularly for network access control and device-level authentication.

• Integrate 802.1X for port-based network access control, ensuring that only authenticated users and compliant devices gain network access.

Enforce Least Privilege and Access Controls

• Use role-based access control (RBAC) to restrict access based on job roles.

• Implement attribute-based access control (ABAC), which considers additional factors like device security posture and user location.

• Utilize Just-In-Time (JIT) access to grant temporary permissions when needed.

• Review access regularly to minimize privilege creep and enforce the principle of least privilege.

Continuous Monitoring and Threat Detection

• Deploy Security Information and Event Management (SIEM) solutions to collect and analyze security logs.

• Use User and Entity Behavior Analytics (UEBA) to detect anomalies in user behavior.

• Implement automated threat response to isolate compromised accounts or devices in real-time.

Home Lab State of Play

This lab isn’t just a casual test environment, it’s been running continuously for over a decade, operating 24/7 as a secure, managed domain for browsing and related services. The family acts as the user base, providing constant, real-world UAT, often quite vocally when something breaks. The domain serves as a representative platform for the technologies I’m learning, testing, and developing.

The current state, and state is nearer the mark, is a mostly flat network with an out-of-support Zyxel USG60W with multiple Firewall rules dependent on the device's IP and MAC.

I’m running multiple Intel NUCs hosting Hyper-V, one is well overdue for retirement and out of support, which in turn runs a Windows 2019 Domain environment. AppLocker and Group Policy are actively deployed, while WDAC is managed via SCCM. There's extensive delegation and a strict separation of privileges throughout the environment. Laptops protect their data with Bitlocker TPM and Pin.

DNS queries are handled by two PiHoles with fairly strict filtering lists.

As for monitoring, SCOM was decommissioned some time ago due to NUC resource limitations, so currently, there's no centralized monitoring in place.

A serious lack of time and it just works has led to the system being largely neglected.

This forms an ideal starting point and mirrors what’s often seen in corporate environments, underfunded infrastructure, overworked admins stretched to the breaking point.

The Zero Trust Plan of Attack

Building on the core principles of Zero Trust to "never trust, always verify" and keeping budget limitations in mind, I’ll explore each technology and explain how it tackles specific challenges. Each of these will be documented in the upcoming blogs.

Micro-Segmentation and Network Security

• Software-Defined Perimeters. This may be a step too far for the home lab.

• Networking: Replace the Zyxel with a pfSense Netgate 4200 and implement VLANs.

• Firewall: Transition from Zyxel policies to pfSense.

• IPSec: Assume compromise and that the network is hostile.

• Implement a VPN - Not required.

• PiHole, DNSSec and DNSTLS.

Device and Endpoint Security

• Device Compliance, implement NAP - No longer possible with Windows Server.

• Endpoint Detection and Response (EDR).

• Mobile Device Management (MDM) is currently handled through SCCM.

• There are no plans to transition to Microsoft Azure, particularly Intune, as it lacks enterprise features and would expand the lab's attack surface. The approach is to maintain secure data processing on-premises while using the cloud for processing and storing less sensitive data.

  
  

Implement Strong Identity and Access Management (IAM)

• Single-Sign-On, is currently supported within the Microsoft Domain, but not so for all the Linux devices.

• Authenticate and verify Devices, implement Radius Server and 802.1x

• MFA, Yubikey smartcard and pins will be implemented.

• Risk-Based Authentication.

Enforce Least Privilege and Access Controls

• Attribute-Based Access Control (ABAC)

• Role-Based Access Control (RBAC)

• Just-In-Time access requires as a minimum PowerShell commands to enable group membership TTL (Time-to-Live), this could be extended further with a Bastion Forest, MIM, PAM and PIM.

Continuous Monitoring and Threat Detection

• Security Information and Event Management (SIEM), implement an event management solution that supports both Windows and Linux.

• User and Entity Behavior Analytics (UEBA), implement PFSense's IPA and IDA solutions.

• Realtime response

• Threat intelligence feeds (pfBlockerNG)

• Intrusion detection and prevention systems (Snort/Suricata)

The Keys to the Zero Trust Kingdom

In a Windows environment, an Enterprise Certificate Authority (CA) is the trust anchor for machine identities, user certificates, network authentication, and service encryption. It’s a critical component in any enterprise PKI and foundational to implementing a Zero Trust security model. But without a Hardware Security Module (HSM), your CA's private keys are exposed to unnecessary risk. I don't have an HSM, they're quite expensive. This needs to be called out for the enterprise implementation of Zero Trust.

Where to Start.....

The CA holds the keys, but the network forms the foundation of Zero Trust, making it the logical place to start. Replacing the outdated Zyxel hardware is the first step, followed by implementing proper network segmentation and firewall policies.

The only question... what have I started?

Related Posts:

Part 1 - Zero Trust Introduction

Part 2 - VLAN Tagging and Firewalls with pfSense

Part 3 - pfSense and 802.1x

Part 4 - IPSec for the Windows Domain

Part 5 - AD Delegation and Separation of Duties

Part 6 - Yubikey and Domain Smartcard Authentication Setup

Part 7 - IPSec between Windows Domain and Linux using Certs