Prevent internal LAN intruders
- From: bbszabi@xxxxxxxxx
- Date: 16 Jan 2006 15:01:58 -0800
I have a moderate size negihborhood LAN with one public IP address and
a masqueraded private 10.x.x.x network with unmanaged switches (and
maybe some wireless access in the future). There is a strong need to
secure somehow the internal access to the LAN to prevent: IP/MAC
stealing, unauthorized internet access, minimize the risk of internal
IP/MAC spoofing, sniffing & attacks, unauthorized access of computers
to the LAN or users accessing the LAN from some small NAT-ed networks
through connected computers. The gateway machine is a Debian 3.1 box
with kernel 2.4 or 2.6, the LAN workstations range from Win 98 to XP
and maybe some Linuxes.
I did some research and I came up with these conclusions:
- 802.1x not an option - requires expensive 802.1x capable switches
- VLAN not an option - requires expensive VLAN capable switches
- managed switches not an option - expensive
- proxy server - poor solution
- DHCP - poor solution
- static ARP tables - would bring some protection, but MAC addresses
still can be faked
The mininum I need is to make sure that only authorized users can gain
any access to the router and out to the internet. All my research lead
to one solution: IPSec, as it provides certificate-based authentication
on the network, access control and data encryption too.
My question would be: is IPSec the right solution to my issues and, if
yes, how can I implement it. Of course any other solutions are very
welcomed.
Regards,
Szabi
.
- Follow-Ups:
- Re: Prevent internal LAN intruders
- From: Secure Buddha
- Re: Prevent internal LAN intruders
- Prev by Date: Re: A scp problem
- Next by Date: Re: BitTorrent security questions
- Previous by thread: A scp problem
- Next by thread: Re: Prevent internal LAN intruders
- Index(es):
Relevant Pages
|
