Solved

LAN Security

Posted on 2008-10-16
7
253 Views
Last Modified: 2013-12-04
If it was to be decided that we needed to improve our LAN security (currently we only use unmanaged switches) what would the best way to do it?

I have read, briefly, of IPSEC/SSH/SSL and switches that are capable of doing the encrypting. Any links to guides will be greatly appreciated.

Basically I am interested in knowing what would be the "easiest" method, in terms of cost and disruption to the network.
0
Comment
Question by:girbot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 3

Expert Comment

by:din101
ID: 22729063
are you talking about wireless or wired connections ? IPSEC/SSH/SSL not necessary for internal wired networks and it will be just waste of bandwidth over heads to use it. What you can do is secure the application likes say email im etc  
0
 
LVL 11

Expert Comment

by:snoopfrogg
ID: 22731121
I'd approach this problem by performing a risk assessment. Like the previous poster says, encrypting all traffic is very expensive resource-wise.  I would  determine which forms of communication (email, IM, etc.) you want to secure and put in place an architecture that will secure those.
0
 

Author Comment

by:girbot
ID: 22735971
Basically it is a shared building, with a shared comms room. Web traffic is not a problem as these services have already been secured.

I am doing some preliminary work into improving the LAN security and just wondered what the pro/conns of it would be and easiest methods.


0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 11

Expert Comment

by:snoopfrogg
ID: 22740618
For encrypting email, I would look into a PGP-related system (GnuPGP, PGP Universal Server) to sign and encrypt mail.  We're using PGP Universal Server- fairly easy to implement.

For Windows workstation-to-server communication, you can implement IPSEC with the help of Group Policy and a Public Key Infrastructure.  This would greatly reduce the risk of anybody sniffing and using your organization's traffic on the shared network hardware.  
0
 
LVL 5

Accepted Solution

by:
rexxus earned 125 total points
ID: 22746902
As a first step I'd be looking at replacing the unmanaged devices for managed LAN switches so that you have option of enabling port level security with options such as:

- dot1x authentication
- unused switchports are left in a shutdown/disabled state
- single/multiple MAC addresses allowed to connect to the switch etc
- segregate devices into VLANs and have access control lists between segments

http://www.cisco.com/en/US/netsol/ns628/networking_solution_relevant_networking_solutions_listing_intro_sc.html 

0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 22758777
With shared comm rooms you need some physical security and or being able to manage the gear properly as rexxus has pointed out. Traffic encryption is overkill for most places, even in shared space. "Easiest" would be to have your network gear in a locked cabinet of your own and have all circuits and or lan drops placed into conduit as much as possible. Best would be that, plus manged gear, either one big switch or several small switches. There are many hardware resellers out there that can sell you refurbished and or new equipment for far below what they originally list for. 802.1x is excessive usually, but is very effective, keeping unused ports shutdown/disabled is always a best practice, as is segregating your lan traffic using vlans.
-rich
0
 

Author Comment

by:girbot
ID: 22839965
Sorry for the delay in closing the question, got dragged into to other things...

Thanks for the suggestions plenty for me to look into further.

Thanks all.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
OfficeMate Freezes on login or does not load after login credentials are input.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question