Encryption/VPN on a LAN, yes a strange one....

coolamasta · 10 Feb 2015 at 15:01

Hi guys, bit of an interesting one this as I cant quite get my head around best way to do this so wanted to see what others thought...

OK so the scenario - we have Building A and Building B, in Building A there is a local LAN, and currently in Building B there is nothing.

Building B needs access to Building A's LAN but Building B wont have its own internet connection as its only 50 metres away from Building A.

Now there is a outdoor grade Cat-5E running between buildings which can be used but just plugging the Building A side into the LAN and whacking a switch Building B side is not secure enough because anyone could theoretically tap into the Cat-5 and get full access to LAN.

Soooo, we want to use encryption just like a VPN does between the 2 buildings but not sure on best way to do this, I have set many a VPN up over 2 internet connections but not a on a LAN...

What way would you guys go about setting this up??

Rob7865 · 10 Feb 2015 at 16:39

Can the Cat5 Cable going into build B not be terminated into a secure room / cabinet?
That way you'll stop anyone just pluggin onto the main lan.

Rob

Sin_Chase · 10 Feb 2015 at 16:54

Using a Site to Site VPN will not secure your network. People will just plug into Site B's endpoint and have full access over it anyway, should you not secure Site B properly.

You will need to secure the building B switch/router endpoint to prevent people being able to access LAN resources.

What equipment do you have and in which buildings?

You will need a router/firewall appliance on Site A or Site B (or both) which is featured enough to allow you credential, certificate or physical address based authentication/filtering.

Encryption is not the answer you are looking for really. There is more to securing the network than your client to site communication.

Something like this would work:

Site A
Port 0------Internet/WAN
Port 1------Site A LAN 192.168.0.0/24
Port 2------Site B Endpoint 192.168.1.0/24<-------------Ext. Cat5e------------->Site B Switch-------Site B LAN

Port 2 Firewall

If using VPN config
Incoming - Drop All
Incoming - Accept VPN connections
Outgoing - Accept All
This will block all traffic except those destined to a VPN server. This can then be secured on a Certificate and/or credential basis. You could also consider using a PPPoE with RADIUS Auth config.

If firewall supports physical address filtering
Incoming - Drop All
Incoming - Accept Source MAC XX:XX:XX:XX:XX:XX (repeat for each physical machine on Site B)
Outgoing - Accept All
This will block all traffic except that from permitted source MAC on Site B

Your other option is a Site A to Site B VPN connection with client filtering/authentication on Site B. Are you using a window domain that can offer you Active Directory/Certificate based authentication for example?

#Chri5# · 10 Feb 2015 at 16:57

OP - are you worried about somebody splicing into the CAT5 between the buildings?

Syngress · 10 Feb 2015 at 17:29

MACSEC 802.1AE - But a complete and utter nightmare to setup. It encrypts all layer2 traffic between switches, so as long as you have a switch in both buildings that supports it, it'll do as you want.

coolamasta · 10 Feb 2015 at 18:04

Thanks for the input guys, sorry if I wasn't very clear in the main post, im not concerned about the internal network security in either building just the link between them so for example if someone came along outside, cut it, shoved a plug on and then they would just get a DHCP address and have access to the whole network, I just want to encrypt the data between building A and B.

Each building is secure so not worried about unauthorized devices being plugged in etc

Cheers for the help so far

APM · 10 Feb 2015 at 18:10

is this any good?

https://www.softether.org/4-docs/1-...10.5_Build_a_LAN-to-LAN_VPN_(Using_L2_Bridge)

Sin_Chase · 10 Feb 2015 at 18:42

coolamasta said:
Thanks for the input guys, sorry if I wasn't very clear in the main post, im not concerned about the internal network security in either building just the link between them so for example if someone came along outside, cut it, shoved a plug on and then they would just get a DHCP address and have access to the whole network, I just want to encrypt the data between building A and B.

Each building is secure so not worried about unauthorized devices being plugged in etc

Cheers for the help so far

If that's the case then just secure each port on each endpoint. Allow access only to the opposing uplink port of each device and job done. Do not need encryption or otherwise.