NETWORK ENGINEERING
Layer 2/3 design and operation: VLAN segmentation, trunking, firewall policy, routing, DHCP/DNS - built so the diagram and the config never drift apart.
/etc/motd - Skien Norway · UTC+1
network & systems administrator - security engineering
I design and run networks the way they should be run in production: segmented, certificate-based, and default-deny. If a packet can't prove who it is and why it's there, it doesn't move.
Formally trained network and systems administrator, based in Skien Norway, working at the intersection of infrastructure and security.
Instead of waiting for someone to hand me an enterprise network, I built one. My home lab is run to a standard many production environments don't reach: hardened Enterprise Linux hosts, a segmented firewall with an explicit rule for everything that moves, certificate-based Wi‑Fi with no shared secrets, and a private certificate authority whose root key lives in hardware not in a file.
The lab isn't a showcase. It's where I break things on purpose, read the packet captures, and rebuild them properly so the habits are already in place when the network matters to more people than me.
Layer 2/3 design and operation: VLAN segmentation, trunking, firewall policy, routing, DHCP/DNS - built so the diagram and the config never drift apart.
Enterprise Linux administration with security as the baseline, not a bolt-on: mandatory access control enforcing, minimal services, virtualization for clean isolation.
Certificate lifecycles end to end: hardware-backed CAs, issuance, revocation that actually gets checked, and RADIUS-driven network access control.
Scripting the boring parts so the careful parts get full attention - certificate tooling, config validation, and repeatable rebuilds.
The clearest way to describe the lab is the way it describes itself: as policy. Seven layers, evaluated top to bottom - the same order a packet experiences them.
Full EAP-TLS rollout: RADIUS with pinned TLS versions and ECDHE-only ciphers, per-device client certificates, and revocation checked on every authentication.
Root and intermediate keys generated and held on a hardware security key. Signing is a deliberate, physical act - the private key has never touched a disk.
An isolated research segment routes exclusively through an encrypted tunnel, with policy routing and DNS pinned in-tunnel. No tunnel, no traffic, no leaks.
default deny. Every allow is a decision - made once, on purpose, in writing.
identity over location. Certificates, not passwords. Subjects, not subnets.
fail closed. When the tunnel drops, the traffic drops with it.
least privilege, everywhere. Users, services, ports, and firmware alike.
verify, then trust then verify again. A control that isn't tested is a hope.
if it isn't logged, it didn't happen.
Looking for someone who treats your network like it's already under attack because statistically, it is? I'm open to roles and projects in network and systems administration and security engineering. Handshake below.