HON 101 · Social Issue Project · Summer 2026

Enterprise security without the enterprise invoice.

This site is served by the infrastructure it documents — a security stack built entirely from free and open-source software. It exists to demonstrate one claim: the technology is not what keeps under-resourced organizations insecure. Cost, expertise, and policy are.

This page's TLS certificate
Let's Encrypt — free
Web server
nginx — free
Operating system
Debian 13 — free
Software cost, entire stack
$0.00

The claim

Capability was never the barrier.

Commercial security vendors sell a reasonable story: protecting a network requires a SIEM, an intrusion detection system, DNS filtering, secure remote access, virtualization, and encrypted transport — and each of those carries a license. For a school district, a nonprofit, or a rural clinic, the quotes stack into numbers that end the conversation before it starts.

This project tests the story's hidden assumption. Every one of those functions has a free and open-source implementation — in most cases the same engine the commercial products are built on. Over one summer, working evenings around a full-time lab job, I deployed the complete stack below on used hardware and a small datacenter VPS. Nothing on this page required a license, a sales call, or permission.

What it did require is the actual subject of this project: skills that are unevenly distributed, and one policy barrier nobody's marketing mentions.

The stack

Eight enterprise functions. One column of zeros.

FunctionDeployed in this buildCommercial counterpartHow the counterpart is pricedCost here
VirtualizationProxmox VEVMware vSpherePer-core annual subscription$0
Network security monitoringSecurity OnionCommercial NSM/SIEM suitesPer-sensor + ingest licensing$0
Intrusion detectionSuricataNext-gen IPS appliancesHardware + annual subscription$0
Log analytics / SIEMElastic (ELK) StackSplunk-class platformsPriced per GB ingested, per day$0
DNS filteringPi-holeDNS-layer security servicesPer-user, per-month$0
Remote access VPNWireGuardEnterprise VPN concentratorsAppliance + per-client licenses$0
Web serving / edgenginxCommercial ADCs & load balancersPer-instance subscription$0
TLS certificatesLet's EncryptPaid certificate authoritiesPer-certificate, per-year$0
Total software licensing, entire environment$0.00

Honesty note: free software is not a free build. This environment runs on one used server, a consumer gateway, and a low-cost datacenter VPS — a hardware footprint in the low hundreds of dollars, not the tens of thousands a licensed equivalent quotes before hardware.

Architecture

A home SOC with a datacenter front door.

The monitoring core lives on a Proxmox hypervisor at home, where it can watch real traffic. The public web tier lives on a small VPS, because — as the case study below documents — it wasn't allowed to live at home. The two halves connect over a WireGuard tunnel, which is exactly the edge-plus-core pattern commercial deployments use.

fig. 1topology · edge + monitored core
                        INTERNET
                            │
             ┌──────────────┴───────────────┐
             │                              │
   ┌─────────▼──────────┐        ┌──────────▼──────────┐
   │  DATACENTER VPS    │        │  RESIDENTIAL ISP    │
   │  Debian 13         │        │  inbound 80 ✗ blocked│
   │  nginx + TLS       │        └──────────┬──────────┘
   │  80/443 open ✓     │                   │
   │  honorswebsite.    │        ┌──────────▼──────────┐
   │  ddnsking.com      │        │  UniFi gateway      │
   └─────────┬──────────┘        └──────────┬──────────┘
             │                              │
             │       WireGuard tunnel       │
             └───────────────┬──────────────┘
                             │
                  ┌──────────▼───────────┐
                  │  PROXMOX VE (home)   │
                  │  ├─ Security Onion   │
                  │  │   └─ Suricata     │
                  │  ├─ Elastic / ELK    │
                  │  ├─ Pi-hole DNS      │
                  │  └─ web VM (origin)  │
                  └──────────────────────┘

Case study

The barrier nobody sells a product for.

The plan was maximum equity: self-host everything on residential internet, total infrastructure cost near zero. DNS resolved correctly. The firewall rules were verified. The software was flawless. And certificate issuance still failed — because the ISP's residential service blocks inbound port 80, the exact port free automated certificate validation depends on.

Below is the same command, run twice. Same software, same configuration, same operator. The only variable is the network policy it ran behind.

exhibit Aresidential ISP · fail
$ sudo certbot --nginx -d honorswebsite.ddnsking.com
Requesting a certificate...

Certbot failed to authenticate some domains.
The Certificate Authority reported these problems:

  Type:   connection
  Detail: Fetching http://…/.well-known/
          acme-challenge/H2kMu9K4dNm1w5oI…:
          Timeout during connect
          (likely firewall problem)

Cause: ISP policy — inbound port 80
blocked on residential service.
exhibit Bdatacenter VPS · pass
$ certbot --nginx -d honorswebsite.ddnsking.com
Requesting a certificate...

Successfully received certificate.
Certificate is saved at:
  /etc/letsencrypt/live/
  honorswebsite.ddnsking.com/fullchain.pem

Deploying certificate... done.
Congratulations! You have successfully
enabled HTTPS.

Same stack. Zero modifications.
First attempt.

The identical free stack that "failed" behind a residential connection succeeded, unmodified, the moment it ran somewhere policy allowed it to. The barrier was never technical.

This finding generalizes. Residential ISPs reserving inbound service ports for business-class subscriptions is an invisible tax on exactly the population this project is about: the person or small organization trying to do it themselves for free. Every workaround that exists — tunnel services, datacenter VPS hosting, relocated edges — works by moving the barrier somewhere cheaper to cross, not by eliminating it. Which is, ultimately, what every solution in the comparison table above does too.

The other cost

What "free" actually charges: expertise.

Nothing above installs itself. The honest version of this project's thesis is that FOSS converts a licensing cost into a knowledge cost — and unlike licenses, every skill this build required can be acquired for free or nearly free. Each competency below is annotated with where it actually came from.

Linux administration
community college coursework + official docs
Virtualization (Proxmox)
free documentation + trial and error
DNS & dynamic DNS
free-tier services + RFC reading
TLS / ACME certificates
Let's Encrypt & Certbot documentation
Firewalling & NAT
homelab practice + vendor docs
IDS tuning (Suricata)
Security Onion community resources
VPN architecture (WireGuard)
official docs + open community guides
Troubleshooting under deadline
volunteer shifts at a public cyber range

That last annotation is the equity argument in miniature: community colleges, public cyber ranges, and open documentation form a free curriculum for this entire stack. The knowledge barrier is real — but unlike the licensing barrier, it is one a motivated person can cross without anyone's permission.

Sources

Works consulted.