Solved

Encrypting LAN traffic

Posted on 2016-11-16
4
57 Views
Last Modified: 2016-11-18
Hey All,

My organization is interested in encrypting the network traffic on our LAN.  I'm looking for a little discussion about what, if anything, you all might be doing, why, and how.  Our goal in this part of the project is to prevent a hacker from (easily) getting anything useful, assuming that someone has hacked into our network and set up camp to lay low and sniff out our traffic for a while.  The goal is not perfection (is that even possible in security), but a layer of difficulty that could well be a deterrent.  So far we are configuring LDAPS where possible/needed, have set our internal web applications to use HTTPS, and are looking into encrypting any communication with our database servers (reporting, applications, and development).

Does anyone see anything that we are missing, may want to look into, or know of anything we should avoid doing?  Any and all insight is welcome and appreciated.
0
Comment
Question by:GileadIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 41890939
First: I have seen pentesters doing this. To receive traffic that is not for your IP, you'll have to spoof that IP. Doing that will result in extremely weird behavior on the end of the pc being spoofed. Extremely suspicious, so if anyone is using that PC, everything network related will be ultra slow. I mention this to make you aware that this sniffing is not easy, not the slightest bit.

Network traffic in windows networks can be encrypted in several ways. With servers of the generation 2012 or 2016 and clients win8.x or win10, the SMB file share traffic (SMB 3) is encrypted by default. If you run legacy systems (win7/Server 2008R2), you will need to setup ipsec to reach the same goal.
1
 
LVL 9

Expert Comment

by:Cheever000
ID: 41891983
I agree with the IPSEC comment above, you can build profiles to require traffic to be encrypted via IPSEC internally.  And to add if a hacker could gain access to the network equipment and set up a SPAN or Mirror port they would not need to spoof an IP address and can gain access to all traffic.
1
 
LVL 54

Expert Comment

by:McKnife
ID: 41892512
Sure, if there is a mirror port and the central switches are accessible physically - but who would allow that? :-)
1
 
LVL 1

Author Closing Comment

by:GileadIT
ID: 41892833
IPSec appears to be the best option for the solution.
0

Featured Post

Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question