What steps should I take to use filters to protect a LAN from unauthorized access?
The first, and easiest, way to protect a LAN is to put it in a separate subnet behind its own gateway router or firewall. This segregates the LAN from other networks and makes it easier to tune any gateways into it through hubs, switches or routers.
The next simplest step, at least for a Windows network, is to simply shut off port 139 on the gateway router. This prevents a malicious user from trying to map a drive to the LAN. Similarly, turn off NetBIOS over TCP/IP on the workstations within the LAN. This prevents some bad guy from trying to directly map a drive to the workstations inside the LAN by using the NetBIOS name of the computer over a TCP/IP connection from outside the LAN.
Each workstation can also be configured to only accept traffic from specific IP addresses. Every LAN has a range of internal IP addresses assigned by whoever set up the LAN. The IP filtering feature can be set to only accept traffic from those IP addresses. But might that block Internet access? Not necessarily. If the LAN accesses the Internet through the gateway, whose IP is in the network's range of accepted IP addresses, then the LAN will still be able to connect to the Internet. But it will do so securely since it's only accepting the traffic from the accepted gateway and not the Internet directly.
And, of course, tune your firewalls, both at the gateway and on the individual hosts, to only accept needed TCP protocols. If FTP or Telnet isn't needed, filter them out.
Dig Deeper on Web authentication and access control
Related Q&A from Joel Dubin
Ensuring authenticity of online communications is critical to conduct business. Learn how to use a public key and private key in digital signatures ... Continue Reading
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading