What if we treated our local networks with the same suspicion as the public internet? The idea of encrypting all intra-LAN communication using certificate-based authentication presents an intriguing paradigm shift. Let's examine a practical implementation using OpenSSL and Python:
# Generate CA certificate (one-time setup)
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout ca.key -out ca.crt -subj "/CN=MyCompanyCA"
# Generate server certificate
openssl req -newkey rsa:2048 -nodes -keyout server.key \
-out server.csr -subj "/CN=svn.mycompany.local"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out server.crt -days 365 -sha256
When considering encryption for all LAN traffic, we have several architectural choices:
- IPSec: Kernel-level encryption with policies
- TLS Everywhere: Service-specific implementation
- SSH Tunneling: For point-to-point secure channels
Here's how to enforce TLS for a Python web service:
from flask import Flask
import ssl
app = Flask(__name__)
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.load_cert_chain('server.crt', 'server.key')
context.verify_mode = ssl.CERT_REQUIRED
context.load_verify_locations('ca.crt')
@app.route('/')
def hello():
return "This connection is securely authenticated"
if __name__ == '__main__':
app.run(host='0.0.0.0', port=443, ssl_context=context)
The encryption overhead varies significantly based on implementation. Benchmarks on a 10Gbps LAN show:
| Method | Throughput | CPU Utilization |
|---|---|---|
| Plaintext | 9.8 Gbps | 5% |
| AES-NI IPSec | 8.2 Gbps | 35% |
| TLS 1.3 | 7.5 Gbps | 45% |
For maintainability, consider using HashiCorp Vault for dynamic certificate issuance:
# Vault PKI configuration
vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki
vault write pki/root/generate/internal \
common_name=mycompany.internal \
ttl=87600h
# Issue a certificate
vault write pki/issue/internal \
common_name=dev-laptop42.mycompany.internal \
ttl=24h
Real-world implementation reveals several pain points:
- Legacy devices without TLS support
- Multicast/broadcast traffic encryption
- Certificate revocation handling
For network devices, consider using MACsec (IEEE 802.1AE) as a fallback:
# Linux MACsec configuration
ip link add macsec0 link eth0 type macsec
ip macsec add macsec0 tx sa 0 pn 1 on key 01 12345678901234567890123456789012
ip macsec add macsec0 rx port 1 address c6:19:52:8f:e3:13
ip macsec add macsec0 rx port 1 address c6:19:52:8f:e3:13 sa 0 pn 1 on \
key 02 09876543210987654321098765432109
ip link set macsec0 up
Traditional LAN security often relies on perimeter defenses like firewalls and network-based IDS. However, insider threats and lateral movement attacks make this model risky. By implementing mandatory encryption for all traffic - even internal communications - we create a zero-trust environment where:
- Each device authenticates using unique certificates
- All services require mutual authentication
- Network-level attacks become practically useless
First, establish your own Certificate Authority (CA) using OpenSSL:
# Create root CA openssl genrsa -out rootCA.key 4096 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt # Generate server certificate openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256
For web services, configure mandatory HTTPS with client certificate verification in Nginx:
server {
listen 443 ssl;
ssl_certificate /path/to/server.crt;
ssl_certificate_key /path/to/server.key;
ssl_client_certificate /path/to/rootCA.crt;
ssl_verify_client on;
# Rest of configuration
}
Replace password authentication with certificate-based SSH:
# On CA server ssh-keygen -s rootCA.key -I host_id -h -n hostname /etc/ssh/ssh_host_rsa_key.pub # In sshd_config HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub TrustedUserCAKeys /etc/ssh/rootCA.pub
While IPSec provides network-layer encryption, it can be complex to manage. Consider these alternatives:
| Solution | Layer | Pros | Cons |
|---|---|---|---|
| IPSec | Network | Transparent to apps | Complex configuration |
| SSL/TLS | Application | Service-specific control | Per-service setup |
| SSH Tunnels | Transport | Flexible port forwarding | Manual tunneling |
| WireGuard | Network | Modern crypto | New technology |
Expect these operational considerations:
- Certificate revocation requires OCSP stapling implementation
- Legacy devices may need compatibility layers
- Debugging encrypted traffic requires careful logging
Use iptables to block all non-encrypted traffic:
# Allow established encrypted connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Block plaintext HTTP iptables -A INPUT -p tcp --dport 80 -j DROP # Allow only encrypted protocols iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT