yaseen.no --:--:-- UTC

YASEEN

network & systems administrator - security engineering

I design and run networks the way they should be run in production: segmented, certificate-based, and default-deny. If a packet can't prove who it is and why it's there, it doesn't move.

tty1 - yaseen@edge

[identity] # who is on the other end

Formally trained network and systems administrator, based in Skien Norway, working at the intersection of infrastructure and security.

Instead of waiting for someone to hand me an enterprise network, I built one. My home lab is run to a standard many production environments don't reach: hardened Enterprise Linux hosts, a segmented firewall with an explicit rule for everything that moves, certificate-based Wi‑Fi with no shared secrets, and a private certificate authority whose root key lives in hardware not in a file.

The lab isn't a showcase. It's where I break things on purpose, read the packet captures, and rebuild them properly so the habits are already in place when the network matters to more people than me.

base
Skien Norway
focus
network security
platform
Enterprise Linux
edge
pfSense · default-deny
access
802.1X · EAP-TLS
trust
private PKI · hardware root
status
open to opportunities

[capabilities] # loaded modules

NETWORK ENGINEERING

Layer 2/3 design and operation: VLAN segmentation, trunking, firewall policy, routing, DHCP/DNS - built so the diagram and the config never drift apart.

VLANspfSenseUniFiWireGuardDNS/DHCPpacket analysis

SYSTEMS & HARDENING

Enterprise Linux administration with security as the baseline, not a bolt-on: mandatory access control enforcing, minimal services, virtualization for clean isolation.

RHELSELinuxfirewalldKVM/libvirtsystemdservice minimization

IDENTITY & PKI

Certificate lifecycles end to end: hardware-backed CAs, issuance, revocation that actually gets checked, and RADIUS-driven network access control.

X.509hardware security keysFreeRADIUSEAP-TLSCRLmutual TLS

AUTOMATION & TOOLING

Scripting the boring parts so the careful parts get full attention - certificate tooling, config validation, and repeatable rebuilds.

Pythoncryptography libBashOpenSSLnmcliGit

[lab] # defense in depth, written as rules

The clearest way to describe the lab is the way it describes itself: as policy. Seven layers, evaluated top to bottom - the same order a packet experiences them.

# ACTION LAYER CONTROL
001 BLOCK everything, first Default-deny at the edge. Every allow below is explicit, scoped, and logged.
002 PASS segmentation Isolated VLANs for management, services, and an air-gapped lab segment - blast radius by design.
003 PASS port access 802.1X with EAP-TLS: a certificate on every client. No pre-shared keys in the air, ever.
004 PASS identity Private PKI with a hardware-rooted CA. Revocation lists are published, distributed - and verified.
005 PASS transport Mutual TLS between internal services, modern ciphers only. Localhost is not a trust boundary.
006 PASS egress Lab traffic pinned to an encrypted tunnel with a fail-closed kill-switch. Tunnel down traffic down.
007 BLOCK everything else Services not required are disabled, masked, or never installed. Absence is the strongest hardening.
states: evaluated top-down · last match wins nothing - first match decides

CERTIFICATE-BASED WI-FI

Full EAP-TLS rollout: RADIUS with pinned TLS versions and ECDHE-only ciphers, per-device client certificates, and revocation checked on every authentication.

HARDWARE-ROOTED CA

Root and intermediate keys generated and held on a hardware security key. Signing is a deliberate, physical act - the private key has never touched a disk.

FAIL-CLOSED EGRESS

An isolated research segment routes exclusively through an encrypted tunnel, with policy routing and DNS pinned in-tunnel. No tunnel, no traffic, no leaks.

[doctrine] # comments that survived every rewrite

default deny. Every allow is a decision - made once, on purpose, in writing.

identity over location. Certificates, not passwords. Subjects, not subnets.

fail closed. When the tunnel drops, the traffic drops with it.

least privilege, everywhere. Users, services, ports, and firmware alike.

verify, then trust then verify again. A control that isn't tested is a hope.

if it isn't logged, it didn't happen.

[contact] # open a session

ESTABLISH CONNECTION

Looking for someone who treats your network like it's already under attack because statistically, it is? I'm open to roles and projects in network and systems administration and security engineering. Handshake below.

yaseen@yaseen.no # typical response time: 24h