• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 264
  • Last Modified:

LAN Security

If it was to be decided that we needed to improve our LAN security (currently we only use unmanaged switches) what would the best way to do it?

I have read, briefly, of IPSEC/SSH/SSL and switches that are capable of doing the encrypting. Any links to guides will be greatly appreciated.

Basically I am interested in knowing what would be the "easiest" method, in terms of cost and disruption to the network.
0
girbot
Asked:
girbot
2 Solutions
 
din101Commented:
are you talking about wireless or wired connections ? IPSEC/SSH/SSL not necessary for internal wired networks and it will be just waste of bandwidth over heads to use it. What you can do is secure the application likes say email im etc  
0
 
snoopfroggCommented:
I'd approach this problem by performing a risk assessment. Like the previous poster says, encrypting all traffic is very expensive resource-wise.  I would  determine which forms of communication (email, IM, etc.) you want to secure and put in place an architecture that will secure those.
0
 
girbotAuthor Commented:
Basically it is a shared building, with a shared comms room. Web traffic is not a problem as these services have already been secured.

I am doing some preliminary work into improving the LAN security and just wondered what the pro/conns of it would be and easiest methods.


0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
snoopfroggCommented:
For encrypting email, I would look into a PGP-related system (GnuPGP, PGP Universal Server) to sign and encrypt mail.  We're using PGP Universal Server- fairly easy to implement.

For Windows workstation-to-server communication, you can implement IPSEC with the help of Group Policy and a Public Key Infrastructure.  This would greatly reduce the risk of anybody sniffing and using your organization's traffic on the shared network hardware.  
0
 
rexxusCommented:
As a first step I'd be looking at replacing the unmanaged devices for managed LAN switches so that you have option of enabling port level security with options such as:

- dot1x authentication
- unused switchports are left in a shutdown/disabled state
- single/multiple MAC addresses allowed to connect to the switch etc
- segregate devices into VLANs and have access control lists between segments

http://www.cisco.com/en/US/netsol/ns628/networking_solution_relevant_networking_solutions_listing_intro_sc.html 

0
 
Rich RumbleSecurity SamuraiCommented:
With shared comm rooms you need some physical security and or being able to manage the gear properly as rexxus has pointed out. Traffic encryption is overkill for most places, even in shared space. "Easiest" would be to have your network gear in a locked cabinet of your own and have all circuits and or lan drops placed into conduit as much as possible. Best would be that, plus manged gear, either one big switch or several small switches. There are many hardware resellers out there that can sell you refurbished and or new equipment for far below what they originally list for. 802.1x is excessive usually, but is very effective, keeping unused ports shutdown/disabled is always a best practice, as is segregating your lan traffic using vlans.
-rich
0
 
girbotAuthor Commented:
Sorry for the delay in closing the question, got dragged into to other things...

Thanks for the suggestions plenty for me to look into further.

Thanks all.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now