Old Hand's Space -- Zero Trust

Zero Trust

This is another of the most fundamental and important concepts in IT. It applies on almost every level. The core principle is to trust nothing and always verify – to prove something is legitimate or provide another layer of security.

As far as security layers go, the idea is linked to reducing stress. Things can break for a variety of reasons, and if you don't rely on a single point of failure, you don't need to react urgently if one component fails. Redundancy is key.

Let me give you a couple of examples:

• If you want to restrict a web page to certain IP addresses, it’s wise to do that on your router/firewall, your local server firewall, and the web server itself. This kind of redundancy means that even if iptables isn’t working correctly on both the router and local server – due to a configuration error, a bug in the Linux kernel, or malicious interference – the IP restriction will still function.
• In a corporate environment, it’s wise to use a VPN to proactively restrict access to certain services within your intranet. You do this even though you likely already have additional logins for those intranet services. These are redundant security features; if one fails, the other will still protect you.
• This web page is served by a standard Nginx web server. Do I trust Nginx to be perfect? No! This page has additional security features protecting my system:
  • The Nginx binary never runs as root.
  • There’s an AppArmor profile providing mandatory access control, preventing Nginx from performing actions it shouldn't.
  • I've used systemd to "jail" Nginx, restricting its ability to mount certain portions of the system read-write and preventing it from obtaining more privileges.
  Even if two of these security layers break down, there’s still one protecting the system.

As far as this information is concerned: check it, analyze it, think about it. Trust nobody – not even me. Consider the information and data I’m providing critically.

If you download IP blacklists from this site, verify them in a non-destructive way by comparing them to your log data. Consider what happens if the data is incorrect and how to protect yourself in that scenario. Don't blindly use what I provide here.

Other Links

You might also be interested in these pages:

• KISS
• How to provide feedback

Copyright © 2025 me@oldhand.zapzarapp.com