I need some advice about encrypt all traffic on a small private network running wi-fi and LAN traffic on 192.168.0.x network. The network would comprise of client laptops connecting to the wi-fi router (192.168.0.254) via ethernet connection or wireless. The main purpose of the server is for the client laptops to talk to two servers on different IP's (192.168.0.200 and 192.168.0.201) on ports 80 and 433.
My main concern is having packet sniffers and what not getting access to the data.
The only ways I see at the moment is to have VPN running on the network or use IPSec policy's to do this.
Any other ways guys?
Best Answer
IPSEC is the network layer encryption designed specifically to cover this case (among others).
If you do not want to mess with it because of the complexity and cannot use HTTPS throughout for some reason, you might consider relying on your network equipment's isolation features. WPA2-enterprise encrypts client-to-AP traffic and is not susceptible to man-in-the-middle attacks due to a secret shared among all users as WPA-PSK would be. Managed switches allow either for locking down the MAC forwarding database or using authenticated connections (802.1x) with a MAC address lockdown so MAC spoofing attacks allowing authenticated users to sniff on other user's data would be mitigated. This would not protect your users from a direct tap on layer 1 though (e.g. a hub or a wiretap device installed somewhere between the switch port and the user's laptop ethernet jack).