Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Prevent internal LAN intruders
January 16, 2006, 11:01 pm
rate this thread
a masqueraded private 10.x.x.x network with unmanaged switches (and
maybe some wireless access in the future). There is a strong need to
secure somehow the internal access to the LAN to prevent: IP/MAC
stealing, unauthorized internet access, minimize the risk of internal
IP/MAC spoofing, sniffing & attacks, unauthorized access of computers
to the LAN or users accessing the LAN from some small NAT-ed networks
through connected computers. The gateway machine is a Debian 3.1 box
with kernel 2.4 or 2.6, the LAN workstations range from Win 98 to XP
and maybe some Linuxes.
I did some research and I came up with these conclusions:
- 802.1x not an option - requires expensive 802.1x capable switches
- VLAN not an option - requires expensive VLAN capable switches
- managed switches not an option - expensive
- proxy server - poor solution
- DHCP - poor solution
- static ARP tables - would bring some protection, but MAC addresses
still can be faked
The mininum I need is to make sure that only authorized users can gain
any access to the router and out to the internet. All my research lead
to one solution: IPSec, as it provides certificate-based authentication
on the network, access control and data encryption too.
My question would be: is IPSec the right solution to my issues and, if
yes, how can I implement it. Of course any other solutions are very
Re: Prevent internal LAN intruders
It is called NetReg.
Essentially you can setup a computer as a registration server, the
client communicates by default with this server. Upon successful
registration, the client reboots with authorized status. If not
registered, then the client side systems are completely unable to
access external resources.
There is alot more to it, but you can do the research if you so desire.
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security