Prevent internal LAN intruders

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a moderate size negihborhood LAN with one public IP address and
a masqueraded private 10.x.x.x network with unmanaged switches (and
maybe some wireless access in the future). There is a strong need to
secure somehow the internal access to the LAN to prevent: IP/MAC
stealing, unauthorized internet access, minimize the risk of internal
IP/MAC spoofing, sniffing & attacks, unauthorized access of computers
to the LAN or users accessing the LAN from some small NAT-ed networks
through connected computers. The gateway machine is a Debian 3.1 box
with kernel 2.4 or 2.6, the LAN workstations range from Win 98 to XP
and maybe some Linuxes.

I did some research and I came up with these conclusions:
- 802.1x not an option - requires expensive 802.1x capable switches
- VLAN not an option - requires expensive VLAN capable switches
- managed switches not an option - expensive
- proxy server - poor solution
- DHCP - poor solution
- static ARP tables - would bring some protection, but MAC addresses
still can be faked

The mininum I need is to make sure that only authorized users can gain
any access to the router and out to the internet. All my research lead
to one solution: IPSec, as it provides certificate-based authentication
on the network, access control and data encryption too.
My question would be: is IPSec the right solution to my issues and, if
yes, how can I implement it. Of course any other solutions are very


Re: Prevent internal LAN intruders

There is a node registration process that is available to you as well.
It is called NetReg.

Essentially you can setup a computer as a registration server, the
client communicates by default with this server. Upon successful
registration, the client reboots with authorized status. If not
registered, then the client side systems are completely unable to
access external resources.

There is alot more to it, but you can do the research if you so desire.

Re: Prevent internal LAN intruders

Thanks for the idea Thomas, I'll dig around for it. Cheers!

Re: Prevent internal LAN intruders

Well, unfortunately this won't solve my problem... after all the
digging I did it seems that all DHCP "solutions" can be worked around
simply by manually setting the IP address. NetReg is not an exception

Re: Prevent internal LAN intruders

On Tue, 17 Jan 2006 14:54:37 -0800, bbszabi wrote:

Quoted text here. Click to load it

If it wasn't for the MS-Windows 98 "workstations" you mensioned, probably,
someone had posted about: or something...


Site Timeline