Creating a secure LAN within an insecure LAN

I have multiple computers on an insecure network (with third party, untrusted computers). My computers and the third party computers are all behind the same firewall.

Currently my computer's software firewalls are configured to block all traffic from other computers on the network. Unfortunately this does not enable my computers to talk with each other. I would like to modify the setup in such a way that my computers can communicate securely, but no third party systems can impersonate one of my computers or eavesdrop on the communication between my computers.

The problem:

I cannot modify the firewall that all of the computers are behind
I cannot use static IPs

Can this be done using a VPN or maybe a second hardware firewall? If not, is there some other solution?

I have full administrator access to all of my computers and can add any needed hardware. All of my computers are currently using Windows 7.

HardwareWoahs

Posted 2011-06-19T03:39:50.330

Reputation: 33

Answers

VPN sounds as the right solution to your issue, make sure to select one that does not depend on static IPs (the technology should depend on static IPs, but rather on installed certificates, but since static IPs are simpler to configure, it can't be assumed that a given VPN does not depend on them).

A second F/W or other routing based solutions would be a difficult proposition because of the static IP issue.

Ofir

Posted 2011-06-19T03:39:50.330

Reputation: 1 434

How would the firewalls be configured on the clients? Assuming I use OpenVPN and certificate-based authentication, would it be as simple as instructing the server's firewall to allow OpenVPN to accept connections or would there be more advanced configuration requirements? – HardwareWoahs – 2011-06-19T06:16:25.990

@HardwareWoahs: It would be enough. – user1686 – 2011-06-19T08:32:48.307

I will be accepting this solution and will use a third party service to coordinate the VPN server's internal IP address with the clients. Thanks! – HardwareWoahs – 2011-06-19T15:28:08.777

I am interpreting your question in my answer here (rather than edit its statements).
This way if I am mis-interpreting, you can help fix with comments (and I'll update my answer).

You have admin rights to a group of computers (refer them as group 'X')
these are behind an Internet facing firewall
However, there are other computers here that you refer as 3rd party (call them group 'Y')
You do not have useful access on group Y machines
You want to secure group X machine communications

You requirement appears like typical service environments taking contract work from different sources with the need to partition all activities across the sources. So, each contract related set of machines would see all other machines as 3rd party. However, you have trouble doing this partition physically -- probably, because the dynamic nature of the contract work; it would imply frequent change in the setup.

You might also be in a leased environment with other people sharing a common perimeter security.

Another analogy is a defence-network.

You could look for MACsec based solutions that will secure your network communications.
These will be deployed only on your (group X) machines -- the rest of your internal network will be transparent to this. However, you will need some way to communicate with devices outside your group X. This could be some gateway device or a way to communicate w/o MACsec from these machines.

nik

Posted 2011-06-19T03:39:50.330

Reputation: 50 788

You have interpreted the question correctly. I will likely explore the VPN solution because it seems as if it would involve less setup. MACsec seems like a good standardized solution if I had a larger or more dynamic trusted group. – HardwareWoahs – 2011-06-19T15:23:03.987

@HardwareWoahs, correct approach. – nik – 2011-06-20T04:27:42.260

One possible solution built into Windows is IPsec, which supports authentication with X.509 certificates, pre-shared keys, or Kerberos.

user1686

Posted 2011-06-19T03:39:50.330

Reputation: 283 655