Multi-Layer Endpoint Security Architecture

Defense-in-Depth System Hardening for Business Workstations

November 2025 :: #endpoint-security #hardening #defense-in-depth #sandboxing

Executive Summary

Problem: Single compromised endpoint can expose all sensitive data and enable network-wide attacks through lack of compartmentalization.

Solution: Multi-layer defense-in-depth architecture with user compartmentalization, application sandboxing, browser hardening, and network controls.

Impact: Significantly reduces attack surface while maintaining complete usability for daily operations through multiple independent security layers.

The Business Challenge

Organizations face threats from both external attackers and insider risks. A single compromised endpoint can expose sensitive data, provide network access, or enable lateral movement to other systems. Traditional single-user, single-profile systems lack compartmentalization, meaning one compromised application or credential grants access to everything.

Common Endpoint Vulnerabilities:

  • Browser-based attacks and drive-by downloads compromising user sessions
  • Credential theft from compromised applications exposing authentication tokens
  • Cross-site tracking and fingerprinting revealing user behavior and identity
  • Insider threats through unrestricted access to all system resources
  • Network-based attacks and traffic interception capturing sensitive communications
  • Physical device compromise through unencrypted storage

Core Principle: Multiple independent security layers - if one protection fails, others continue protecting the system

The Solution

Implemented comprehensive endpoint hardening using defense-in-depth principles: user profile compartmentalization, application sandboxing, browser hardening, and network security controls. This multi-layer architecture ensures that compromise of any single component doesn't result in total system breach.

Security Architecture

Layer 1: User Profile Compartmentalization

Created isolated user environments for different security contexts:

  • Admin Profile: System administration only (sudo access restricted to this profile)
  • Work Profile: Daily operations and business applications
  • Personal Profile: Isolated from work activities with separate browser profiles
  • Experimental Profile: Sandboxed environment for untrusted software testing
Isolation Benefits: Separate home directories, profile-specific credentials and browser sessions, file permission boundaries preventing cross-profile access, different security policies per profile

Layer 2: Application Sandboxing (Firejail)

Deployed application-level isolation:

  • Restricted filesystem access for browsers and high-risk applications
  • Isolated execution environment for untrusted software
  • Default security profiles for common applications
  • Experimental profile for safe testing of potentially unsafe software
Security Value: Application-level isolation prevents malware from accessing filesystem or other applications even if browser is fully compromised

Layer 3: Browser Security Hardening (arkenfox)

Implemented Firefox hardening template:

  • Disabled WebRTC preventing IP address leakage
  • Enabled first-party isolation blocking cross-site tracking
  • Configured DNS-over-HTTPS (DoH) for encrypted DNS queries
  • Enabled resist fingerprinting features
  • Disabled all telemetry and data collection
  • HTTPS-only mode enforced across all connections
  • Minimal extension stack: uBlock Origin + Container tabs
Security Value: Browser hardening prevents tracking, fingerprinting, and common web-based attacks at application layer

Layer 4: Network Security

Multiple network protection layers:

  • ProtonVPN with kill switch preventing traffic leaks if VPN disconnects
  • UFW firewall with default-deny policy
  • LUKS full-disk encryption (from OS migration project)
  • Encrypted swap preventing memory dump data exposure
Security Value: Network-level controls protect data in transit and at rest, maintaining security even outside corporate network

Business Impact

Protects Against

• Browser-based attacks

• Cross-site tracking

• Credential theft

• Insider threats

• Network attacks

• Physical compromise

Use Cases

• Executive endpoints

• Regulated industries

• Remote workers

• BYOD environments

• Development teams

Key Outcomes

• Reduced attack surface

• Fingerprinting resistance

• Zero cross-profile leakage

• Encrypted network traffic

• Isolated untrusted software

Real-World Application Scenarios

Scenario 1: Compromised Browser

Employee clicks malicious link. Sandboxed browser prevents malware from accessing filesystem or other applications. Even if browser is fully compromised, attack is contained to sandboxed environment. No access to credentials, documents, or network resources.

Scenario 2: Testing Untrusted Software

Developer needs to evaluate third-party tool of unknown trustworthiness. Experimental profile with Firejail isolation allows testing without risking production work environment. Any malicious behavior is contained to isolated profile with no access to work data.

Scenario 3: Work/Personal Separation

Employee uses same device for work and personal activities. Profile compartmentalization ensures personal browsing habits don't correlate with work identity. Personal account compromise doesn't expose work credentials or business data.

Technical Implementation

Platform Stack:

OS: Arch Linux (hardened configuration)

Sandboxing: Firejail with custom profiles

Browser: Firefox with arkenfox user.js hardening

VPN: ProtonVPN with kill switch

Encryption: LUKS full-disk encryption

Firewall: UFW (Uncomplicated Firewall)

Implementation Highlights

Profile Management

Configured efficient profile switching with profile-specific shortcuts, maintaining security compartmentalization while preserving productivity. Each profile has independent environment variables, SSH keys, and application configurations.

Ongoing Enhancements

• Per-profile SSH key isolation

• Custom Firejail profiles for application-specific restrictions

• LUKS key management with header backups and recovery keys

• Automated security verification scripts

Challenges Overcome

Challenge: Balancing privacy hardening with daily workflow usability

Solution: Created custom arkenfox overrides allowing necessary functionality while maintaining security posture. Learned that aggressive hardening without use case consideration breaks workflows - security must enable work, not prevent it.

Challenge: Managing multiple user profiles efficiently across different contexts

Solution: Developed profile-specific configurations and shortcuts enabling quick context switching without security compromise. Automated profile selection based on task type.

Skills Demonstrated

Security Architecture

• Defense-in-depth design

• Threat modeling

• Risk assessment

System Administration

• Linux user management

• Access controls

• Firewall configuration

Application Security

• Browser hardening

• Sandboxing

• VPN configuration

Usability Balance

• Security vs. productivity

• Workflow optimization

• User experience

Mobile Security Principles Applied to Desktop

This implementation adapts mobile security concepts (Android's application sandboxes, user profiles) to desktop Linux environments. While hardware-backed security features (verified boot, hardware keystore) aren't fully replicable on standard laptops, the compartmentalization and sandboxing principles achieve similar isolation goals through software controls.

Outcome

Successfully created a hardened Linux laptop environment that provides strong security and privacy for daily use. The compartmentalized approach allows different security postures for different activities while maintaining usability for productive work.

This project demonstrates the ability to apply mobile security concepts to desktop environments, implement defense-in-depth strategies, and balance security requirements with practical usability - skills essential for IT security roles.