[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 66
  • Last Modified:

Encrypting LAN traffic

Hey All,

My organization is interested in encrypting the network traffic on our LAN.  I'm looking for a little discussion about what, if anything, you all might be doing, why, and how.  Our goal in this part of the project is to prevent a hacker from (easily) getting anything useful, assuming that someone has hacked into our network and set up camp to lay low and sniff out our traffic for a while.  The goal is not perfection (is that even possible in security), but a layer of difficulty that could well be a deterrent.  So far we are configuring LDAPS where possible/needed, have set our internal web applications to use HTTPS, and are looking into encrypting any communication with our database servers (reporting, applications, and development).

Does anyone see anything that we are missing, may want to look into, or know of anything we should avoid doing?  Any and all insight is welcome and appreciated.
0
GileadIT
Asked:
GileadIT
  • 2
1 Solution
 
McKnifeCommented:
First: I have seen pentesters doing this. To receive traffic that is not for your IP, you'll have to spoof that IP. Doing that will result in extremely weird behavior on the end of the pc being spoofed. Extremely suspicious, so if anyone is using that PC, everything network related will be ultra slow. I mention this to make you aware that this sniffing is not easy, not the slightest bit.

Network traffic in windows networks can be encrypted in several ways. With servers of the generation 2012 or 2016 and clients win8.x or win10, the SMB file share traffic (SMB 3) is encrypted by default. If you run legacy systems (win7/Server 2008R2), you will need to setup ipsec to reach the same goal.
1
 
Cheever000Commented:
I agree with the IPSEC comment above, you can build profiles to require traffic to be encrypted via IPSEC internally.  And to add if a hacker could gain access to the network equipment and set up a SPAN or Mirror port they would not need to spoof an IP address and can gain access to all traffic.
1
 
McKnifeCommented:
Sure, if there is a mirror port and the central switches are accessible physically - but who would allow that? :-)
1
 
GileadITAuthor Commented:
IPSec appears to be the best option for the solution.
0

Featured Post

Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now