Question

1

Easiest authentication for LAN networks?

rated 0 times [ 1] [ 0] / answers: 1 / hits: 566 / 2 Years ago, sat, january 29, 2022, 1:42:31

There are a lot clients inside a LAN. The server is trusted, the clients are not.

It has to be ensured that other clients can not spoof another clients or the servers LAN IP address.

I want to prevent to bothering with something like openvpn or ipsec, because encryption is not required (LAN) and those solutions are overkill and complicated to learn.

Are there any simple alternatives?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

piscen

Add To Favorites

Follow

Total Points: 134

Total Questions: 117

Total Answers: 133

Location: Indonesia

Member since Wed, Jul 7, 2021

3 Years ago

answered 2 Years ago kroapathe · Accepted Answer

Due to the basic design of Ethernet you can not protect clients in the same broadcast domain from spoofing each other. Even though the switch that they are connected to will learn MAC address to port mappings and try to only send traffic to the correct port, there are tricks that can be pulled to spoof another station's MAC address and get their traffic. Look up tools like Ettercap.

Therefore, you need to build your security model around segregating things that absolutely must not spoof each other into different VLANs. So for example you might put everything that only has admin access in one or more VLANs and put everything that has untrusted users into one or more other VLANs.

Inside each VLAN, traffic that absolutely must not be impersonated/sniffed by other stations in the same VLAN must use encryption at the transport layer.