Secure Intranet on a LAN

D

Daenerys

Beta member
Messages
3
Location
UK
Hello

I'm practising building networks and looking for some advice about secure hardware/network setup - just doing this at home at the moment as a test - so a simple system will do.

I am setting up an intranet on a Linux box running Apache. The intranet pages will be served to PCs in a LAN. The PCs in the LAN are also connected to the Internet.

The Linux box itself will not be connected to the Internet, protecting it from external attacks; but how do I configure the network to protect this server from attacks from within the LAN? It's not the server software and web application configuration I'm after, rather the network and network hardware side of it.

I am envisaging putting the server on a separate subnet from the rest of the LAN, and putting a router between the two as a firewall. Will this work?

Cheers
 
putting a router between the server and the lan would help protect against finding the server via subnet scans. However, i suspect someone could find the server by analyzing the traffic via the lan. you should look to eliminate any unnecessary services running on network hardware, keep the firmware up to date, and use strong passwords on your equipment. Managed network devices, typically used in enterprises, should have controls for configuring the network ports. For instance, i remember studying cisco and at that time they had a setting for disabling auto connect for switch ports. this would prevent anyone from "plugging in" to the network with out authorization. a admin would have to "enable" the port.


http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf
 
Last edited:
Daenerys said:
I am envisaging putting the server on a separate subnet from the rest of the LAN, and putting a router between the two as a firewall. Will this work?

Cheers
Click to expand...

It would work, provided that the router can be used to configure access lists. Throwing a Linksys in there isn't going to help much.

Typically, you would create VLANs for the different broadcast domains in your network and you would use a router to control communication between the different VLANs. The idea is to grant the absolute minimum level of access that's required for the different network segments rather than trying to protect specific resources from the rest of the intranet. This would be a bit much for a home network, but you could easily set up a virtual environment with a simulator program like Packet Tracer.
 
As the Linux box is an intranet only, you can make an IP tables to refuse all traffic that is not static your internal network.

The IPtables would automatically drop the connection and there would be no fuss about it.
 
You must log in or register to reply here.

Similar threads

F
Clean All to secure wipe a SSD?
2
Replies
11
Views
1K
camilasaunder89
C
U
Network problem at home in 5GH - on the computer
Replies
1
Views
863
tehnokraat
T
O
hello & mostly clueless & would appreciate mac security help after trojan attack!
Replies
0
Views
926
once2023
O
CloudniumSupport
Deciding on the right hosting provider:
Replies
1
Views
565
brownelsa1318
B
I
Greetings, new here!
Replies
2
Views
538
grantheo
grantheo
Back
Top Bottom