This portfolio presents original security architecture research, enterprise-grade homelab implementation, and structured detection engineering work. The primary contribution is the Orthogonal Structure Invariant Model (OSIM) — a five-zone network segmentation framework with machine-verifiable security invariants, implemented and validated in a production-equivalent lab environment.
A multi-zone network segmentation framework engineered for blast radius containment, least-privilege network access, and machine-verifiable security properties.
OSIM addresses a structural failure mode common in flat and semi-segmented networks: implicit trust derived from network position. The model partitions all hosts into five discrete trust zones, enforces default-deny at every inter-zone boundary, and defines ten binary machine-verifiable invariants whose violation constitutes a critical governance event. The design objective is blast radius containment — ensuring that compromise of any single zone cannot produce lateral movement to higher-trust zones through network-layer paths alone.
| Zone | VLAN | Subnet | Trust Tier | Boundary Function |
|---|---|---|---|---|
| MGMT-A — Admin Workstations | 10 | 10.10.10.0/24 | Tier 0-User | Jump hosts and administrative endpoints. Initiates management sessions to MGMT-B on explicitly scoped ports only. |
| MGMT-B — Infrastructure | 11 | 10.10.11.0/24 | Tier 0-Infra | Proxmox hypervisor, OPNsense management IP, Proxmox Backup Server. No workstations. Isolated from MGMT-A by port-scoped rules. |
| LAB — Compromise Domain | 20 | 10.10.20.0/24 | Tier 2 | Active red/blue operations, attack simulation targets. Default-deny terminator L-99 prevents all lateral movement to higher-trust zones. |
| DMZ — Exposed Services | 30 | 10.10.30.0/24 | Tier 1-Ext | Internet-facing reverse proxy and application servers. Zero inward connectivity to any internal zone except Wazuh agent ports. |
| SECURITY — SIEM Plane | 40 | 10.10.40.0/24 | Tier 0-Det | Wazuh Manager, detection tooling. Accepts telemetry from all zones. Initiates no management sessions to any zone. |
Network position confers zero trust. Every inter-zone communication path requires an explicit, port-scoped allow rule with documented justification. No ANY-ANY rules exist on any interface.
Each VLAN interface terminates with an explicit logged block-all rule. The absence of a matching allow rule produces a deny-and-log event — not a silent pass. This eliminates over-permissive rules introduced through operational convenience.
MGMT-A (workstations) and MGMT-B (infrastructure) are separated into distinct VLANs. A compromised administrator workstation does not confer access to hypervisor management interfaces. Lateral movement requires a separately authenticated session, independently logged.
The SIEM plane (VLAN 40) initiates no management connections. Active response is agent-based only. No network path exists from any monitored zone to the Wazuh API — the detection plane cannot be silenced by compromise of a monitored zone.
The OPNsense running configuration is exported, SHA-256 hashed, and committed to version control after every change. Daily automated hash comparison detects unauthorized drift from the committed baseline.
Each invariant is binary — TRUE or VIOLATED. Violation constitutes a critical governance event requiring immediate investigation. Invariant verification is automated via configuration XML parser.
Original technical documentation produced to enterprise architecture standards, aligned to NIST SP 800-53, Zero Trust principles, and MITRE ATT&CK framework mappings.
Describes a multi-zone network segmentation architecture implemented on OPNsense 24.x (FreeBSD 14) with stateful packet filtering (pf) and inline Suricata IDS/IPS. Documents north–south traffic enforcement, east–west segmentation controls, Suricata IDS/IPS deployment with VLAN de-encapsulation verification, Wazuh SIEM integration, governance framework, and structured red team validation.
| Risk Scenario | Inherent | Controls Applied | Residual |
|---|---|---|---|
| Lab VM pivots to hypervisor (Proxmox/OPNsense) | HIGH | L-99 terminator; VLAN 11 isolation; intra-infra logging; Wazuh deny alerting | LOW |
| Compromised DMZ host pivots to internal zones | HIGH | D-99 terminator; no pass rules to any internal zone except Wazuh agent ports | LOW |
| Admin workstation compromise escalates to infrastructure | HIGH | MA-08 explicit block; port-scoped allow (8006/22/443 only); separate VLANs 10 and 11 | MED* |
| DNS tunneling / C2 via external resolver | MED | DNS-BLOCK floating rule; Suricata ET DNS signatures; Unbound as sole permitted resolver | LOW |
| HTTPS C2 egress from LAB or DMZ (port 443) | MED | Suricata JA3 fingerprint detection; ET MALWARE ruleset; TLS metadata inspection | MED* |
| SIEM disruption from compromise domain | HIGH | Ports 1514/1515 only; S-05 blocks all other inbound to Wazuh; L-99/D-99 terminators | LOW |
| Unauthorized internet access to management interfaces | HIGH | W-IN-02 WAN default-deny; no WAN pass rules to MGMT-A, MGMT-B, or SECURITY | LOW |
A production-equivalent security operations environment built on Proxmox VE with OPNsense firewall, five-zone VLAN segmentation, and full telemetry integration.
Suricata is deployed on the trunk interface (vtnet1), upstream of sub-interface VLAN processing.
This positions Suricata to inspect all inter-zone traffic on a single capture point, regardless
of source and destination VLAN. VLAN de-encapsulation is explicitly configured in suricata.yaml
(vlan: use-for-tracking: true). Without this, Suricata attempts signature matching
against raw 802.1Q-tagged frames, resulting in incorrect IP header offset calculations and
silently absent content-based detection.
| Boundary | Permitted Traffic | Enforcement | ATT&CK Techniques Mitigated |
|---|---|---|---|
| MGMT-A → MGMT-B | TCP/8006, TCP/22, TCP/443 | Rules MA-04–MA-07; MA-08 blocks all other | T1611 Escape to Host, T1078 Valid Accounts, T1098 Account Manipulation |
| LAB → MGMT-A/B | None | Default-deny terminator L-99 | T1021.004 SSH, T1021.001 RDP, T1563 Session Hijacking, T1078 Valid Accounts |
| LAB → SECURITY | TCP/1514–1515 to HOST_WAZUH only | Wazuh agent permit L-01/L-02 ahead of L-99 | T1562.001 Disable Tools, T1070 Indicator Removal, T1499 DoS (SIEM) |
| DMZ → Internal (all) | TCP/1514–1515 to HOST_WAZUH only | Default-deny terminator D-99 | T1021 Remote Services, T1090.003 Multi-hop Proxy, T1190 Exploit Public App |
| SECURITY → MGMT-B | None | Explicit block rules S-08/S-09 | T1219 Remote Access Software (detection-plane pivot) |
| Intra-DMZ (lateral) | Proxy → App backend TCP/80, 443 only | Rule D-05 blocks all other intra-DMZ traffic | T1570 Lateral Tool Transfer |
Structured adversary simulation scenarios with Wazuh-verified detection evidence. Telemetry correlated across network deny events, IDS alerts, and host-based agent data.
Validates that a compromised LAB host cannot reach Proxmox management (TCP/8006) or OPNsense management interfaces through any available network path.
Validates DNS tunneling is blocked at the network layer for all internal zones and detected by Suricata ET DNS high-entropy subdomain signatures.
Validates outbound C2 channel detection via Suricata JA3 fingerprinting and Emerging Threats MALWARE ruleset, with correlated Wazuh host-agent telemetry.
Structured SOC alert triage, investigation workflow, and threat detection analysis performed using Wazuh SIEM and Suricata IDS telemetry from the homelab environment.
Alerts originate from Suricata IDS signatures, firewall deny events, and Wazuh host agents. Events are ingested into Wazuh Manager and correlated across network and host telemetry to determine severity and potential threat classification.
Each alert is evaluated against network zone context (OSIM trust tiers), known benign activity, and MITRE ATT&CK mappings. Alerts are categorized into False Positive, Suspicious Activity, or Confirmed Malicious Behavior.
Network telemetry (Suricata eve.json), firewall logs, and host agent events are correlated to determine attacker behavior, persistence attempts, or lateral movement indicators.
Confirmed malicious activity results in containment actions such as firewall rule updates, host isolation, or IDS rule promotion. All incidents are documented with timeline analysis and ATT&CK technique mapping.
| Alert Source | Detection | Zone | Analysis | Outcome |
|---|---|---|---|---|
| Suricata | ET DNS High Entropy Query | LAB | Potential DNS tunneling attempt detected. Query analyzed for entropy and repeated subdomain patterns. | Blocked + Logged |
| Firewall | L-99 Deny Event | LAB → MGMT-B | Attempted SSH connection from compromised lab host to infrastructure network. | Blocked by segmentation |
| Suricata | JA3 TLS Fingerprint Match | DMZ | TLS fingerprint matched known malware C2 signature. | Alert escalated |
Practical threat investigation exercises completed through the CyberDefenders DFIR training platform. Each lab simulates real-world SOC incident scenarios requiring log analysis, network forensics, and attacker behavior identification.
| Lab | Focus | Artifacts Analyzed | Key Finding | Techniques |
|---|---|---|---|---|
| DNS Exfiltration Investigation | Network Forensics | PCAP + DNS Logs | High-entropy DNS queries indicated potential data exfiltration. | MITRE ATT&CK T1048 |
Planned visual documentation to supplement framework and detection sections.
Network topology with all five VLANs, trust tier color-coding, inter-zone allow/deny paths, and Wazuh telemetry flows. Embed as interactive Mermaid on the OSIM page.
Trunk interface positioning, VLAN de-encapsulation flow, and eve.json → Wazuh pipeline. Illustrates single-capture-point coverage across all inter-zone traffic.
Export ATT&CK Navigator JSON showing techniques mitigated (network block) vs. detected (Suricata/Wazuh alert). Embed as screenshot with link to JSON source.
WAN → DMZ NAT path, per-zone egress NAT, DNS enforcement floating rule position. Include anti-spoofing rule (W-IN-01) and Pure NAT reflection annotation.
Data flow: OPNsense pf deny log → syslog UDP/514 → Wazuh Manager. Suricata eve.json → Wazuh agent on OPNsense host → Manager. Host agents all zones → correlated dashboard.
Available for SOC Analyst, Security Operations, Junior Security Engineer, and Cybersecurity Analyst roles.