[NTLUG:Discuss] How do you secure a LAN?

Paul Ingendorf pauldy at wantek.net
Tue Dec 31 10:40:07 CST 2002 

The problem comes like this scenario, as wireless becomes cheaper people will 
bring it into their homes.  They become comfortable with the ease of use and 
setup.  They get cheaper and user A decides he would benefit by using his 
laptop while in the Jon.  He takes the AP into work and opens up the network to 
being attacked by anyone who drives by.  This is a real world problem that many 
IT groups are working on right now.  We have Firewalls and IDS and we finally 
got our e-mail filtered.  Now what about the area that a large percentage of 
the attacks come from to begin with, the internal network.  You could use a 
personal firewall every system and risk the headaches of blocking legitimate 
services or allowing the users control of in and outbound connections and risk 
their own ignorance breaching what the security is in place for to begin with.  
Or as you suggest simply stay on top of your network use security scanning 
tools regularly to keep your systems as low on the radar as possible.  
Unfortunately until smart switches become cheaper and more flexible allowing 
ports to be enabled and disable based on certain traffic rules the mere mention 
of this issue will give many sysadmins a burning sensation in their guts.

Quoting rob apodaca <rob.apodaca at attbi.com>:
> 
> An interesting problem. You could definatly use DHCP and mac-addresses
> to control which PC's could obtain IP addresses automatically, but
> this doesn't prevent someone from using a static IP address and then
> accessing network resources. You may want to think about the network
> resources you trying to protect. Internet access? Web Server? Telnet
> Server? MS Shares? FTP Server? NFS Shares? In my opinion, if you
> secure your resources, you should not have to worry about who plugs
> what box into where because the situation you are describing is
> exactly like the internet. It is an untrusted network therefore, you
> need to lock down your recources (the stuff you do control) and don't
> worry about what you do not control.
> 
> Perhaps you could isolate your segment of the lan (the part you do
> have complete control of) with a firewall? You could allow only the
> machines of your choosing access to your recources.
> 
> Hope this has been useful.
> Cheers,
> -rob
> 
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list