Environment Notes
Design Intent
The Scheol Security Lab is intentionally designed as a hybrid security sandbox environment:
- Hell (On-Premise) → trusted core infrastructure and security backbone
- Heaven (VPS) → exposed services and external attack surface
Key Architectural Reality
1. Separation is logical, not absolute
While segmentation is implemented at network and service level, full isolation is not yet achieved due to:
- transitional hosting decisions (VPS-01 multi-role exposure)
- incomplete identity infrastructure
- partial logging centralization
2. Transitional exposure is accepted
Certain risks are knowingly accepted during the build phase:
- co-location of Gitea and public documentation
- ERP exposure on a single VPS (Dolibarr)
- incomplete SIEM integration
These are considered temporary risk exposures, not final design choices.
3. Security model evolution
The environment follows a progressive maturity model:
- Basic infrastructure isolation
- Service separation
- Centralized identity and logging
- Full monitoring and control enforcement
- Audit-ready maturity
4. Trust boundary philosophy
Trust boundaries are defined by:
- network segmentation (VLAN / firewall rules)
- administrative access paths (bastion concept)
- service exposure level (public vs internal)
- identity authority (future AD/LDAP)
Known Constraints
- VPS environments limit deep isolation control
- Identity system not yet fully centralized
- Logging architecture still partially local
- Backup strategy still transitional (snapshot-based)
Operational Reality Statement
This environment prioritizes:
- learning and architectural realism
- progressive hardening
- controlled exposure for experimentation
- over strict production-grade isolation.