Networks Encryption/VPN on a LAN, yes a strange one....

Hi guys, bit of an interesting one this as I cant quite get my head around best way to do this so wanted to see what others thought...

OK so the scenario - we have Building A and Building B, in Building A there is a local LAN, and currently in Building B there is nothing.

Building B needs access to Building A's LAN but Building B wont have its own internet connection as its only 50 metres away from Building A.

Now there is a outdoor grade Cat-5E running between buildings which can be used but just plugging the Building A side into the LAN and whacking a switch Building B side is not secure enough because anyone could theoretically tap into the Cat-5 and get full access to LAN.

Soooo, we want to use encryption just like a VPN does between the 2 buildings but not sure on best way to do this, I have set many a VPN up over 2 internet connections but not a on a LAN...

What way would you guys go about setting this up??

 

Can't you just do a LAN to LAN IPSEC Tunnel?
What routers you using?

 

I think no routers and that's the problem

you wanna stick a router on each end and do what Votick says, will work great. But you will also need to stick some routing info in on Site b to be able to get them out to the internet on LAN A, and probably stick both sites on different subnets.

Or be posh and get a wifi or laser link

 

+1

Just a simple default rule to forward all traffic over the Tunnel.

 

Configure DHCP servers for MAC authentication?

 

A) That means all devices would need to be added - Gather this company has two buildings there probably a fair few hundred MAC addresses to be added and maintained.

B) MAC's can be spoofed so this is totally insecure.

Good idea but not viable.

 

What kit do you have on each site already?
Windows only?

 

From his OP, sounds like he has no additional kit.

Even if you setup a IPSEC tunnel between the two offices, how would you ensure that an unauthorised machine is not hooking into the LAN.

When we had sub tenants at one place, we gave them there own pipe in and used our watchguard kit to create them their on network. We then setup a BO VPN with specific routes to allow them to print but that was about it. However with that setup I couldnt stop just anyone plugging into the port.

Wracking my head trying to figure this one out myself.

 

The lan is inside the building at least - with a cable running between two buildings, I could go there and cut it at night, and plug myself right into the network, without being inside either building. Even with locked down mac addresses (which in a big environment really isn't that feasible) I can find the subnet and statically put myself on it.

I think the issue is the cable going between the building's isn't inside either of the buildings, at least with cables being inside you have a little sense of security that when you are not there and the building is locked up no one is going to easily get on your network.

With a tunnel between both, you could cut the cable and plug yourself in, and you would just get to a router that is wanting to talk to another router. and with anyluck you wouldn't be able to get any traffic beyond that.

 

Easy when using 802.1X with managed switches and a RADIUS server...

I don't think the OP is concerned about securing internal network access but rather just encrypting the the data passing over the cable between the buildings to stop someone sniffing data or performing a Man-in-the-middle attack.

 

Thanks for all the input so far guys, it is just basically that, internal LAN in B-A has to have a secure connection to B-B so if someone did cut the cable and plug in then they wouldn't have access to anything.

B-B has no hardware at all, and B-A uses a Draytek Vigor 2955 Router/Firewall although recently they have been using PF Sense firewall on a dedicated box with multiple NIC's which seems to work nicely for their needs.

Its not a big company thing its just a small business for a friend who has an extra building he wants network access too, no fancy Cisco switching or high tech IT kit.

I did have thoughts about using a DMZ connection from the router and having specific firewall rules for passing data through to fixed IP's, no DHCP etc but still not as secure as encryption as im sure packet sniffing tools etc would pick up on the subnet and dig deeper, I know chances of this happening are silly low but would rather data is encrypted.

I just cant get my head around how to do this over a LAN, sounds easy in principle but giving me bit of a headache lol

 

If there is already a Draytek in A just throw in a cheap one in B and you can get a IPSEC Tunnel up in about 30seconds.

 

i would suggest a small layer 2 encrypter such as Safenet but that will be massive overkill i would think

http://www.safenet-inc.com/data-encryption/network-encryption/ethernet-encryption/

id go with an IPSEC from building A to building B

 

Pfsense... quagga OSPF, ipsec. Done. Then you'll have a proper firewall and IPS/IDS type system available in between. Throw extra curveball in there by tagging the traffic between two links also.

TBH, it doesn't sound like you are worried about corporate espionage... use SNMP to monitor the links between the building. As in the physical status of the interfaces. If they go down, you know you need to check your cabling for some **** nut monkey ****'s device in the centre stealing your internets.

 

Cheers fella's, now if we went for the Draytek/PFsense IPSEC option how would one go about it, didn't even think you could IPSEC over internal LAN ports, only on WAN?

Or with PFsense in Building A do we add an extra NIC and set it to be a VPN Server and then that would mean on Building B there would need to be a PFsense box there too with a NIC assigned configured to be a VPN client? So give them static IP's on a random subnet then connect a VPN (OpenVPN I think PFsense uses) and job should be a good one?

Never heard of Quagga OSPF and to be honest im no expert with routing/networking but I have had many a headache with Cisco kit and OSPF lol

 

Just hide the CAT5 cable - security through obscurity Or fit some protective metal ducting around/over it?

Other strange outside the box suggestion: get a power lead going between the buildings and use Powerline adapters - they have built in encryption and you can pick up a gigabit pair for not too much money. I would like to see someone work out that you are sending data over a power cable and hack that!

 

I might be wrong, but I'm fairly certain you can't get gigabit speeds through any home plugs.

 

I own a gigabit power line kit, wasn't expensive but it does get quite toasty!

 

While you potentially own something that says gigabit power line kit on the box - I can't actually imagine it is A.) full duplex gigabit speeds or B.) actually reaching those speeds in the real world.

Either way - sticking power line adaptors as the link between two buildings on even a small business network is mental talk.