Encrypting absolutely everything, even within the LAN

Has anybody tried that approach already? I'm really considering it: Instead of relying on network based IDS etc., every packet must use encryption which was initiated by a certificate issued by my own CA.

  • Every client gets a unique client certificate
  • Every server gets a unique server certificate
  • Every service additionally requires to login.

Both SSL and SSH would be ok. Access to the internet would be done via an SSL tunnel to the gateway.

Is it feasible? Does it create practical problems? How could it be done and enforced? What do you think?

More details

My goal is to simplify the LAN's security concept - I'm not yet sure, if that's a crazy idea! But I feel, that securing a HTTPS or SSH server from internet threats (if using mutual authentication) is sometimes easier than monitoring everything that can happen in the wild world of a LAN.

On a non-encrypted LAN, I feel it's really hard to be a good step ahead of a potential attacker, because of threats like:

  • Low level attacks like ARP spoofing, Port stealing, ...
  • WLAN access (e.g. every developer will be allowed to access the SVN server from the (W)LAN - I don't think it will be through a VPN...)

=> For simplicity, isn't it easier to make the assumption, that there is always an attacker in the LAN?

=> Could I end up simplifying a (small company's) LAN security concept by treating it like a WAN? Or would I rather complicate it?

IPSec and alternatives

IPSec sounds very promising, but I'd be interested in alternatives to IPSec, too - Using SSL/SSH individually per service and creating an Stunnel to the Gateway? Using Kerberos maybe? ... What are the advantages of IPSec or the others?

If you can help me with getting a better grasp on IPSec, please see my follow-up question specifically on IPSec.


Solution 1:

I use IPsec here for everything. The reasoning is that most attacks are made by insiders anyway - the bad side/good side thinking is flawed. (If anyone makes off with the servers they can have fun trying to break the full-disk encryption, so no problem there, either.)

It's also fun to use telnet, NIS, NFS and FTP without any worries - feels like the good old days! :-)

Solution 2:

IPSec is the standard for this. It comes in different forms and there is a lot of vocabulary to it.

I recommend this guide to IPSec to get you started.