Prevent internal LAN intruders - Security

This is a discussion on Prevent internal LAN intruders - Security ; I have a moderate size negihborhood LAN with one public IP address and a masqueraded private 10.x.x.x network with unmanaged switches (and maybe some wireless access in the future). There is a strong need to secure somehow the internal access ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Prevent internal LAN intruders

  1. Prevent internal LAN intruders

    I have a moderate size negihborhood LAN with one public IP address and
    a masqueraded private 10.x.x.x network with unmanaged switches (and
    maybe some wireless access in the future). There is a strong need to
    secure somehow the internal access to the LAN to prevent: IP/MAC
    stealing, unauthorized internet access, minimize the risk of internal
    IP/MAC spoofing, sniffing & attacks, unauthorized access of computers
    to the LAN or users accessing the LAN from some small NAT-ed networks
    through connected computers. The gateway machine is a Debian 3.1 box
    with kernel 2.4 or 2.6, the LAN workstations range from Win 98 to XP
    and maybe some Linuxes.

    I did some research and I came up with these conclusions:
    - 802.1x not an option - requires expensive 802.1x capable switches
    - VLAN not an option - requires expensive VLAN capable switches
    - managed switches not an option - expensive
    - proxy server - poor solution
    - DHCP - poor solution
    - static ARP tables - would bring some protection, but MAC addresses
    still can be faked

    The mininum I need is to make sure that only authorized users can gain
    any access to the router and out to the internet. All my research lead
    to one solution: IPSec, as it provides certificate-based authentication
    on the network, access control and data encryption too.
    My question would be: is IPSec the right solution to my issues and, if
    yes, how can I implement it. Of course any other solutions are very
    welcomed.

    Regards,
    Szabi


  2. Re: Prevent internal LAN intruders

    There is a node registration process that is available to you as well.
    It is called NetReg.

    Essentially you can setup a computer as a registration server, the
    client communicates by default with this server. Upon successful
    registration, the client reboots with authorized status. If not
    registered, then the client side systems are completely unable to
    access external resources.

    There is alot more to it, but you can do the research if you so desire.
    Thomas


  3. Re: Prevent internal LAN intruders

    Thanks for the idea Thomas, I'll dig around for it. Cheers!


  4. Re: Prevent internal LAN intruders

    Well, unfortunately this won't solve my problem... after all the
    digging I did it seems that all DHCP "solutions" can be worked around
    simply by manually setting the IP address. NetReg is not an exception
    either...


  5. Re: Prevent internal LAN intruders

    On Tue, 17 Jan 2006 14:54:37 -0800, bbszabi wrote:

    > Well, unfortunately this won't solve my problem... after all the
    > digging I did it seems that all DHCP "solutions" can be worked around
    > simply by manually setting the IP address. NetReg is not an exception
    > either...


    If it wasn't for the MS-Windows 98 "workstations" you mensioned, probably,
    someone had posted about: http://openvpn.net/ or something...

    --
    -Menno.


+ Reply to Thread