Secure transfer on LANs with PGP

[BikeBoy]

Has anyone ever heard or implemented PGP key on FileMaker files from server to clients on large LANs?

Has anyone done SSL in that scenario? Please share the experience.

Thanks

[Anatoli]

We are using just VPN so far. It is quite OK.

[BikeBoy]

Hi Anatoli,

You're probably using VPN on the WAN, correct?

I'm concerned with LAN. I want to make sure that the data is secure as it travels on our local network, and someone sniffing the wire inside our organization can not read it.

[Anatoli]

Sorry, my mistake, I've interpreted "large LANs" like WAN

My bad.

Just thinking -- if you encrypt the data on FM server and client will decipher it, maybe that is the way. In that case the client should have local database, not traveling across the network with keys to decipher the data.

The Server based FM file should be linked to local file via relationship, decipher and encrypt data with locally stored keys.

Just thinking.

[BikeBoy]

Oh-oh, you lost me. sorry, i need sleep, right about now:)

so, I gather there's no tried-and-true best practice to do this on FileMaker server? I wasn't sure, but you can't blame a guy for tryin'

[Anatoli]

BikeBoy said:

Oh-oh, you lost me. sorry, i need sleep, right about now:)

so, I gather there's no tried-and-true best practice to do this on FileMaker server? I wasn't sure, but you can't blame a guy for tryin'

Not as I know

[BobWeaver]

If the server and clients are connected by switches only, rather than hubs, then it is not possible for an eavesdropper to intercept network traffic between the server and another user. Non Filemaker users could still be on hubs though. So, you may be able to physically configure your network to keep unauthorized users away from server traffic. This isn't a complete fix but it may help a bit. A hacker could still directly connect to the FM server and hack into it.

[BikeBoy]

BobWeaver said:

If the server and clients are connected by switches only, rather than hubs, then it is not possible for an eavesdropper to intercept network traffic between the server and another user. Non Filemaker users could still be on hubs though. So, you may be able to physically configure your network to keep unauthorized users away from server traffic. This isn't a complete fix but it may help a bit. A hacker could still directly connect to the FM server and hack into it.

Hi Bob,

Why is it that the data can't be sniffed between switches?

Also, I guess there's always a hacker possibility, but I have software firewall on the server. In addition, we're behind a corp firewall, makes me feel safe

Any additional suggestions to improve security?

Thanks

[BobWeaver]

Suppose that you have 3 computers A, B and C on the network using a hub. When A sends data to B, it is sent through the hub which broadcasts the information to all ports so both B and C get the data. Normally, C will just ignore it, because when it looks at the message header it will see that it is intended for B. However, if C is running a packet sniffer, then it can display all data which is intended for others.

Now, when the same computers are on a switch, and A sends data to B, the switch is smart enough to know which port B is connected to, and sends the data out only on B's port. If C is running a sniffer program, it will not see the data sent from A to B. It will only see data that is intended for C (if any).

Even when you interconnect switches so that the data for several computers is channeled through an uplink port, the switch at the other end will again separate out the data and direct it only to the appropriate port.

The only exception to the above, is when the destination address is unknown to the switch, such as when the switch or a new computer first comes online. When that occurs, the switch will broadcast the packet to all ports, and then see which port the response returns on. Then it will remember which port that computer is connected to for all future net traffic. Since this happens only with the first data that is sent (such as a TCP handshake), the chance of broadcasting sensitive data is very low.

Of course, this is secure only if the users cannot gain access to the switches or physically tap into someone else's another network connection. So the physical layout is important.