Has anybody tried that approach already? I'm really considering it: Instead of relying on network based IDS etc., every packet must use encryption which was initiated by a certificate issued by my own CA.
- Every client gets a unique client certificate
- Every server gets a unique server certificate
- Every service additionally requires to login.
Both SSL and SSH would be ok. Access to the internet would be done via an SSL tunnel to the gateway.
Is it feasible? Does it create practical problems? How could it be done and enforced? What do you think?
More details
My goal is to simplify the LAN's security concept - I'm not yet sure, if that's a crazy idea! But I feel, that securing a HTTPS or SSH server from internet threats (if using mutual authentication) is sometimes easier than monitoring everything that can happen in the wild world of a LAN.
On a non-encrypted LAN, I feel it's really hard to be a good step ahead of a potential attacker, because of threats like:
- Low level attacks like ARP spoofing, Port stealing, ...
- WLAN access (e.g. every developer will be allowed to access the SVN server from the (W)LAN - I don't think it will be through a VPN...)
=> For simplicity, isn't it easier to make the assumption, that there is always an attacker in the LAN?
=> Could I end up simplifying a (small company's) LAN security concept by treating it like a WAN? Or would I rather complicate it?
IPSec and alternatives
IPSec sounds very promising, but I'd be interested in alternatives to IPSec, too - Using SSL/SSH individually per service and creating an Stunnel to the Gateway? Using Kerberos maybe? ... What are the advantages of IPSec or the others?
If you can help me with getting a better grasp on IPSec, please see my follow-up question specifically on IPSec.
IPSec is the standard for this. It comes in different forms and there is a lot of vocabulary to it.
I recommend this guide to IPSec to get you started.
I use IPsec here for everything. The reasoning is that most attacks are made by insiders anyway - the bad side/good side thinking is flawed. (If anyone makes off with the servers they can have fun trying to break the full-disk encryption, so no problem there, either.)
It's also fun to use telnet, NIS, NFS and FTP without any worries - feels like the good old days! :-)
Do you have a threat model where unfettered access to your LAN infrastructure is expected? If so, yes, deploying IPSEC to all end-points is probably what you want.
However, in most threat models there's enough perimeter security that you can essentially ignore the LAN infrastructure as a cheap access method.
The picture changes if you have WiFi installed, you'd need something between the WiFi network(s) and the wired network(s) to ensure that you don't have any information leakage via that route.
On the windows side what you are looking for is Domain and Server isolation. You can play with it using this labcast
My default windows implementation plan for a new install has this included. In windows it's not hard to set up and offers lots of extra security (and there's really no "extra" administration you might need a few more security groups).
NAP doesn't require IPsec (or even the PKI - that's only if you want to run native mode). SCCM is an additional product- nothing extra is required for domain and server isolation. NAP is primarily designed for send "health" information about a client and if that client doesn't pass your "health" check then it is deferred to only communicate with a remediation server(s). Health is defined as patch requirements AV settings, security settings etc. You certainly can use SCCM to set up IPSEC, but it's not a requirement.
With Domain and server isolation I don't have the ability to check those "health"- nor is it the point. When it's set up I am encrypting the traffic and ensuring that and additionally guaranteeing that the servers and clients are only allowed to communicate with the servers and clients required for that business function (eg HR workstations are the only workstations allowed to communicate with the HR server).
The security term is "protection of data in transit." Yes, there are groups that do this, and yes, in some ways it does simplify LAN security. IPSEC and IPv6 can be used to support this.
The complementary concept is "protection of data at rest," which means encrypting your disks.
Don't know what systems and infrastructure you're using but Microsoft's System Centre Config Manager (SCCM) has a Network Access Protection (NAP) component that does exactly what you're after.
It PKI encrypts all client-server traffic and puts non-authenticated machines into what is effectively a DMZ where they're unable to to talk to any server/machine/system that hasn't been specifically setup to sit in that DMZ also. It can also allow pre-check machines patch level, anti-virus, security, etc settings before allowing them onto the main LAN (obviously in this case you'd have an updates server or two sitting in the DMZ.
Step by step guides to settings this up for demo/testing are here.