← Back to Work

Multi-Layer Endpoint Security Architecture

Defense-in-Depth System Hardening for Business Workstations

November 2025 :: #endpoint-security #hardening #defense-in-depth #sandboxing

Overview

I hardened a Linux workstation using defense-in-depth, on the principle that a single compromised endpoint shouldn't hand an attacker everything. A typical single-profile machine has no internal boundaries — one bad browser session or stolen credential reaches every file and every account. I built several independent layers so that when one fails, the others are still standing.

The Layers

User compartmentalization

Separate profiles for separate contexts — Admin (the only profile with sudo), Work, Personal, and an Experimental profile for untrusted software — each with its own home directory, credentials, and browser sessions. A compromise in one doesn't cross into the others.

Application sandboxing (Firejail)

Browsers and other high-risk apps run with restricted filesystem access. If a browser is fully compromised, the malware is boxed into the sandbox — no reach into documents, other apps, or the rest of the system.

Browser hardening (arkenfox)

A hardened Firefox profile: WebRTC disabled to stop IP leaks, first-party isolation and fingerprinting resistance against cross-site tracking, DNS-over-HTTPS, HTTPS-only, telemetry off, and a deliberately minimal extension set (uBlock Origin plus container tabs).

Network & storage

ProtonVPN with a kill switch so a dropped tunnel doesn't leak traffic, a default-deny UFW firewall, and LUKS full-disk encryption with encrypted swap carried over from my OS migration work.

Stack

Platform

Arch Linux, hardened configuration

Firejail sandboxing with custom profiles

Firefox + arkenfox user.js

ProtonVPN (kill switch) · UFW · LUKS full-disk encryption

What I Took From It

The real lesson was about restraint. My first pass at arkenfox hardening was aggressive enough that it quietly broke everyday workflows — and security that gets in the way is security people turn off. I ended up writing custom overrides that kept the protection while letting the work happen, which is the actual job: making the secure path the usable one. These are software versions of mobile isolation concepts (Android's per-app sandboxes and profiles); a laptop can't match hardware-backed verified boot, but the compartmentalization gets you most of the way.

Evidence & availability

Built and run on my own hardware, so there's nothing client-confidential here — which means I can show the working parts. Configuration, scripts, and a full walkthrough are available on request.