What steps should I take to use filters to protect a LAN from unauthorized access?
The first, and easiest, way to protect a LAN is to put it in a separate subnet behind its own gateway router or firewall. This segregates the LAN from other networks and makes it easier to tune any gateways into it through hubs, switches or routers.
The next simplest step, at least for a Windows network, is to simply shut off port 139 on the gateway router. This prevents a malicious user from trying to map a drive to the LAN. Similarly, turn off NetBIOS over TCP/IP on the workstations within the LAN. This prevents some bad guy from trying to directly map a drive to the workstations inside the LAN by using the NetBIOS name of the computer over a TCP/IP connection from outside the LAN.
Each workstation can also be configured to only accept traffic from specific IP addresses. Every LAN has a range of internal IP addresses assigned by whoever set up the LAN. The IP filtering feature can be set to only accept traffic from those IP addresses. But might that block Internet access? Not necessarily. If the LAN accesses the Internet through the gateway, whose IP is in the network's range of accepted IP addresses, then the LAN will still be able to connect to the Internet. But it will do so securely since it's only accepting the traffic from the accepted gateway and not the Internet directly.
And, of course, tune your firewalls, both at the gateway and on the individual hosts, to only accept needed TCP protocols. If FTP or Telnet isn't needed, filter them out.
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.