The first, and easiest, way to protect a LAN is to put it in a separate subnet behind its own gateway router or firewall. This segregates the LAN from other networks and makes it easier to tune any gateways into it through hubs, switches or routers.
The next simplest step, at least for a Windows network, is to simply shut off port 139 on the gateway router. This prevents a malicious user from trying to map a drive to the LAN. Similarly, turn off NetBIOS over TCP/IP on the workstations within the LAN. This prevents some bad guy from trying to directly map a drive to the workstations inside the LAN by using the NetBIOS name of the computer over a TCP/IP connection from outside the LAN.
Each workstation can also be configured to only accept traffic from specific IP addresses. Every LAN has a range of internal IP addresses assigned by whoever set up the LAN. The IP filtering feature can be set to only accept traffic from those IP addresses. But might that block Internet access? Not necessarily. If the LAN accesses the Internet through the gateway, whose IP is in the network's range of accepted IP addresses, then the LAN will still be able to connect to the Internet. But it will do so securely since it's only accepting the traffic from the accepted gateway and not the Internet directly.
And, of course, tune your firewalls, both at the gateway and on the individual hosts, to only accept needed TCP protocols. If FTP or Telnet isn't needed, filter them out.
This was first published in November 2005