top of page

How to secure your LAN (Local Area Network)

Updated: Jul 11, 2024

How to Secure Your Local Area Network

In my last blog series we reviewed ways to protect the perimeter of your network and then we took it one layer deeper and discussed securing the DMZ. Now I’d like to examine the ways you can secure the Local Area Network, aka LAN, also known as the soft underbelly of the beast. Okay, I made that last part up, but that’s what it should be called. The LAN has become the focus of attack over the past couple years, due to companies tightening up their perimeter and DMZ. It’s very rare you’ll you see an attacker come right at you these days, when they can trick an unwitting user into clicking a weaponized link about “Cat Videos” (Seriously, who doesn’t like cat videos?!). With this being said, let’s talk about a few ways we can protect our soft underbelly and secure our network.


For the first part of this blog series, let’s examine how to secure the LAN at the network layer.


LAN and the Network Layer

From the network layer, there are constant things that can be adjusted and used to tighten the posture of your LAN. The network is the highway where the data traverses. We need protection on the interstate just as we need protection on our network. Protecting how users are connecting to the Internet and other systems is an important topic. We could create an entire series of blogs on just this topic, but let’s try to condense it a little here.


  • Verify that you’re network is segmented – it better be if you read my last article on the DMZ – but we need to make sure nothing from the DMZ is relying on internal services. This is a rule. Take them out now and thank us later. If this is happening, you are just asking for some major compliance and security issues to crop up.

  • Continuing with segmentation, make sure there’s a guest network that vendors can attach to if needed. I hate when I go to a client/vendor’s site and they ask me to plug into their network. What if I was evil? What if I had malware on my laptop that’s now ripping throughout your network because I was dumb enough to click a link to a “Cat Video”? If people aren’t part of your company, they shouldn’t be connecting to your internal LAN plain and simple.

  • Make sure you have egress filtering on your firewall so you aren’t giving complete access for users to pillage the Internet from your corporate workstation. By default users should only have access to port 80/443, anything else should be an edge case (in most environments). If users need FTP access there should be a rule and you’ll have to allow them outbound after authorization, but they shouldn’t be allowed to rush the Internet on every port. This stops malware, botnets, etc. that are communicating on random ports. It doesn’t protect everything since you can tunnel anything out of these ports, but it’s a layer!

  • Set up some type of switch security that’s going to disable a port if there are different or multiple MAC addresses coming from a single port. This stops hubs from being installed in your network and people using multiple workstations. Also, attempt to set up NAC to get a much better understating of what’s connecting to your network while giving you complete control of those ports and access to resources from the LAN.

In our next LAN security-focused blog, we’ll move from the network up the stack to the application layer.

1 commentaire


Damon Roy
Damon Roy
20 mai

Hey folks! I’ve started hardening my LAN last month when my smart fridge started rivaling my phone in network chatter. First, I enabled VLAN segmentation to keep IoT devices on a separate network—felt a bit like giving each appliance its own stage instead of crowding them backstage. I also implemented ACL rules on my switches, which reminded me that humans blink around 15–20 times per minute; networks need guards too! For monitoring, I set up simple SNMP traps and got alerts before any weird spikes. Oh, and if you’re researching providers, check out https://breezeline.pissedconsumer.com/review.html for a detailed dive. Happy securing!

J'aime
bottom of page