Security differences between a LAN and WAN
Generally, what kind of security needs to be considered in a network
management environment? What's the different between security in a LAN and
The primary difference between a Local Area Network (LAN) and
a Wide Area Network (WAN), besides the technology used, is that generally
you have control of all the resources for a LAN, but not for a WAN.
For example, for a single company LAN (not connected to another LAN or
to the Internet), that company can provide physical security for the entire
LAN and all the connected computers. They can provide background checks for
all the people that have access to all of the equipment. They can establish
security policies and procedures that can be enforced on all the equipment.
All of the threats to the system come from within (assuming adequate
As soon as the LAN is connected to another LAN or the Internet and becomes
a WAN, all of that changes. The company does not know what physical
protections have been made to the rest of the WAN, only its small portion. In the case of an Internet connection, they have no idea who might try to access their LAN. The entire threat model changes. Not that any of the threats from the LAN-only environment have gone away, but many more have been added. One can think of the threat profile for a LAN as being a subset of the threat profile for a WAN.
This threat profile is what helps to decide what security measures are
appropriate. In terms of network management, within a self contained LAN, there probably is no need to have network management protocols encrypted, or special
authentication done for those protocols (unless you are worried that insiders may attempt to "manage" your network for you). On the other hand, you probably do not want your network management protocols to traverse the
Internet without protection. Nor do you want your computers on a remote segment to respond to network management requests that are not authenticated.
So, as with any computer system or network, the first steps are to identify
what the threats to your system or network are and what needs to be protected. Then you can go about devising ways to provide the required protection.
This was first published in October 2001