Encrypted Networks

[Beccara]

Good Morning All,

My office has recently had its inter-building link spliced into and a amount of data was stolen and i have been asked to look into encrypting the traffic, we run a mix of linux and ms windows xp boxes and would like to know of any way to encrypt all traffic on the lan, increase in traffic isnt a issue as all pc's are on a 100/1000link and dont fully use the link yet

Any ideas on any software to do this?

 

[Boscoh]

Hmmmm....you might try giving RSA a call.

 

[pointdexterish]

Depending on what type of inter-building equipment you have and how much performance matters, look into VPN or IPSEC (or a combination of the two) to encrypt end to end communications.

 

[Beccara]

IPSEC is a option but its diffcult to make for 40-50 pc's, RSA is out of the question as we arnt big enough to pay to get people out to New Zealand to design an implemtn

 

[SJConsultant]

IPSEC is a option but its diffcult to make for 40-50 pc's, RSA is out of the question as we arnt big enough to pay to get people out to New Zealand to design an implemtn

Make the two buildings seperate networks (subnets) and use a couple of linux machines as VPN/IPSEC routers in each building to make the connection to each other.

The result will be the traffic will be encrypted over the wire and since your establishing a site to site VPN, the network will work just the same without the need for loading any additional software on each workstation or worrying about OS compatibility.

 

[Boscoh]

If someone wants your data enough to cut the wire running between the buildings, I'd also be thinking that they might try to get into your building as well. Take a look at the physical security inside your buildings too. Do you have the removable ceiling tiles? If so, can one push those out of the way and get access to your cable runs?

I'm thinking you're looking for more of an end-to-end solution covering desktops and everything. Doing IPSec between the two buildings is definitely an option, and doing so would give you more time to research a total solution, if thats what you're looking for.

 

[Beccara]

The cable is only burried 1ft down, the bulding is surrounded by barb wire and 4' solid steel doors with reinforced concrete walls

 

[SJConsultant]

The cable is only burried 1ft down, the bulding is surrounded by barb wire and 4' solid steel doors with reinforced concrete walls

Other options to consider:

1. Change the cable from Copper to fiber - highly difficult to "tap"
2. Encase cable in PVC or Steel and rebury deeper.
3. Use site to site laser bridges. - Near impossible to "tap"
4. Use wireless bridges/routers in a point to point VPN configuration to encrypt the traffic.

 

[Cr@zZy]

The cable is only burried 1ft down, the bulding is surrounded by barb wire and 4' solid steel doors with reinforced concrete walls

Wow. may I ask what your dealing with and where you're working?

 

[Beccara]

the fiber option is something we have been looking into, the compnay i work for is a rather large multinational which houses nearly USD$15mill of server harware and teleco gear in 2 secure buldings in NZ, These boxes run 50-60% of core govt infrastructure and large NZ companies

 

[Boscoh]

The fiber is a good option, but so is the point-to-point laser. If you go with the fiber, spend the extra bucks to get the kevlar-jacketed variety...or at least get some kind of very heavy-duty jacket on it.

Even if you did fiber, I'd still do IPSec across the link.

 

[deuce868]

yea, a pair of linux routers running a VPN would be fine and cheap option. Shoot, I think you could even get some of the linux firewall distros to do that like Clarkconnect and smoothwall. You might want the paid versions, but not bad overall.

 

[shade91]

If you work for a company that large go for a Sonicwall to Sonicwall or Cisco PIX to Cisco PIX IPSEC/VPN. Throw in the kevlar jacketed fibre through PVC as well. That should be all the protection you'll ever need.

Forget Linux. I would never employ such a cheesy OS like that in an enterprise-government arena. If you ever thought of using something unix-like in this situation use a SECURE setup like OpenBSD/FreeBSD.

 

[enforcer17]

I don't think clarconnect and smoothwall were designed for such an enterprise solution.

You guys that suggested to use Linux boxes are giving bad advice. For an enterprise solution, you only have a few options: Cisco PIX, Nokia, Sonicwall or Checkpoint.

You just can't compromise saving a few bucks with good network security.


EDIT: Shade91 - Nice to know someone else agrees with me

 

[SJConsultant]

You guys that suggested to use Linux boxes are giving bad advice. For an enterprise solution, you only have a few options: Cisco PIX, Nokia, Sonicwall or Checkpoint.

I agree at this point , in all fairness if the poster had stated what type of business it was going in to , I would have *not* suggested linux rather, I would have suggested a PIX or Checkpoint solution.

 

[Wrench00]

I have used one SnapGear 575 and a 550 to create a IPSEC Vlan it worked like a charm. I then created a IPSEC connection between the two DC's for exchange reasons.. Works Like a charm, plus geting passed two IPSEC encryption tunnels is pretty well much imposible. Smoothwall the full version the one you pay for is a really good option, as well but its an expensive solution and I wouldn't recommand it for anything that has less then 200 clients.

 

[oakfan52]

My first major concern with this is someone was able to dig up a cable run on your property. I would start my trying to limit an attackers ability to gain access to physical equipment. I also like the concrete incased PVC run idea.

As for linux solution in the enterprise...... I would sasy they they are a good solution but require someone with advanced expereince and knowledge in that area. A securty product is only as good as it configuration/implmintation. You won't find me deploying linux in field because i lack the knowledge to support it well enough to replace a cisco/checkpoint.