Establishing Your LAN in Remote Areas

It’s so amazing the things that you can do with access to the Internet, right? Even without actual Internet access, having the ability to share resources within your Local Area Network (LAN) is awesome! We can share files via storage sharing; we can have a voice server to make calls internally to each other; we can have a web server that allows us to have our own internally accessible web pages. To provide Internet access for all, we need these LANs built, even in remote areas. So how do we build out these LANs in a remote area? Without access to all the tools and applications that you may see in a typical LAN environment, how do we provide all the features that are desired but simultaneously provide security as well? I’ll go through some of the options for this to be able to effectively establish a LAN in a remote environment so that we can be one step closer to the Internet for all.

A LAN is a local network; it says so in the name. It’s the network that you own. It may consist of various network devices connected together providing local services, as well as user devices like computers and phones. It is what connects everything in your network together. Typically, at least in IPv4 addressing, a LAN uses private addressing schemes for its IP addresses. These are non-Internet-routable addresses that cannot face the Internet. Instead, they usually have some sort of Network Address Translation (NAT) system that allows your devices within the LAN to still communicate with the external resources. More about this later.

Every organization has their own set of requirements which may vary based on the environment, the services provided, as well as the location and country that is the host. These requirements are typically centered around security, availability, features, and ease of use. Thinking about it from those four categories, these are the factors that users will want in their IT adventures, even in a remote environment.

Now, let’s talk about security for a moment. Securing our networks is a must. Thousands of attacks occur every single day; some successful, most not. The fact of the matter is, without a sincere focus on security in a network, the attacks will be successful. Security as a requirement could include different aspects such as physical security (protecting your assets from theft, protecting service providing equipment from access), logical access control, as well as other security measures such as antivirus software, firewalls, etc. Logical access control is one of the big ones here, as most attacks occur in a logical manner. Within this category, we will want to keep the intruders out, only give access to what the users need, and ensure that we have some sort of mitigation system in place to help remediate threats.

Have you ever had your Internet connection go out? Super frustrating, right? Having the Internet available is something that is a very high priority for many people these days. We are powered by our connectivity so much that sometimes, without it, we feel lost. In a remote area, it isn’t very different. The users that we are providing services to don’t know what being so connected feels like, they need to see a little bit of the connected life. This isn’t just for the Internet either. Any network services, such as the storage and file sharing provided, would be included in this. Having a highly available network, even in remote areas with a lack of resources, is a must. This can be done by having multiple uplink types, as discussed in my previous guide Understanding WAN Network Types in Remote Areas. Also, multiple links or ways of accessing local resources like a call manager or file storage would be great. Many of these resources can have redundancy built-in.

Who here buys the newest gear, just because it has some cool feature that you’ve always wanted? When establishing a new LAN somewhere, the features are what you need to think about. Not only do the features that you provide impact the structure and configuration of the network, but there are security implications that need to be considered as well. Are you providing voice services? File sharing? Media streaming? Or is it just access to the Internet? Will it be wired or wireless? I’d suggest, at a minimum depending on your resources, some sort of small sized call manager, an authentication resource for user management, as well as wireless access for mobility. Who doesn’t like to be mobile? Of course, a lot of this depends on your needs. If Internet access is all you need, then that’s what should be provided. But if other services are needed, or desired, then the list can get fairly long for features in your LAN.

Ease of use is something that may be a requirement in a network. This is because a typical user in an environment most likely is not an IT professional and may not know how to troubleshoot the many different things that could go wrong. Most users like the ability to “plug and play” when getting their tech on. Having an easy to use system in place helps this and allows you to create a friendly environment for the users to come into. In a remote area, it would be expected that the users wouldn’t typically have much experience with the Internet and technology (this is why we want to bring it to them!). So, making it as easy and headache-free as possible is a necessity. One suggestion would be to automate the onboarding process for new devices. Have a standard image for a workstation, make the user accounts standardized, and make the process of connecting to the network more streamlined. Balancing security and ease of use is a tough act. Another suggestion for ease of use is to give user training. Give (or record) a short class on basic connectivity, user accounts, and the basic “how to” for the environment with whatever devices the users will be connecting with.

Talking about those requirements that were mentioned above, they are really easy to implement in a normal environment. There are applications, appliances, and tools that we can use or purchase to help us with this. But in an environment where resources and capabilities are limited, we need to figure out alternatives. We can’t set up an entire security suite with separate firewalls, border routers, behavior analytics, and antivirus suites. It’s just not feasible. We may not be able to have a redundant WAN link or backup phones for calling. We may need to improvise on the file sharing and media streaming, such as using a cloud provider if the resources are not onsite. The restrictions brought upon us when trying to set up a feature-rich network in a remote area might be difficult to overcome.

Knowledge is one of these restrictions as well. Troubleshooting and evolving the network as needed would be difficult without trained personnel. There are plenty of resources out there on the Internet for free education in the IT realm. Pluralsight is also a great resource for this, especially if you’re in charge of administering the network. Power is a restriction, as mentioned in my WAN guide. Be sure to invest resources into a redundant power supply, or at least condition the power to be steady. Cost as well. Are we going with a home router plugged into the WAN, or are we trying to have a ruggedized business router? Can we afford to separate the layer 2 and layer 3 devices, or do we need to have it all in one? There are several options for these devices and many can do multiple things that we need. Choose one that balances the cost with the needed features. With these devices that we choose, what are the capabilities of them? Will they allow us to set up some of the features, or do we need to have additional products to be able to provide additional services (like a call manager)?

There are many, many ways to accomplish this particular task. Setting up a LAN varies greatly depending on the equipment that you have. Let’s assume though, that you are using a device that has both layer 2 and layer 3 functionality, and that any services that you provide can be hooked up to that. Remember, layer 2 in the OSI model is all about switching. It’s the data link layer. MAC addresses are on layer 2. Layer 3 is the “routing” or network layer. It’s the IP addresses and the way the packets get routed to their destination. A device that does both layer 2 and layer 3 functions is typically called a multilayer switch. The first thing to discuss is address space.

In a LAN environment, private addresses are the standard. This allows you to determine how big of a network you have. In a remote environment, you typically will go with a smaller set of addresses. Using CIDR notation, let’s go with a /24 subnet. This is typical in many home networks by default. This allows you to have 254 useable IP addresses. How are you going to issue these IP addresses to the users? DHCP or statically? The easiest and more common way to issue IP addresses is via DHCP. Most layer 3 devices have the ability to act as a DHCP server, so doing so isn’t too difficult.

To figure out your range, let’s use a very common set of addresses: 192.168.0.0/24. If you’re providing voice over IP services (VoIP), you’ll want to either add another subnet or split this one in half. For this example, though, everything will be used for data services. Let’s reserve a few addresses as well for use in specific ways. We will keep 192.168.0.1 for the router’s IP address, 192.168.0.2 for our printer (every network needs a printer, right?), and then 0.3-0.5 for future reservations such as the file share server. Everything else is useable (with the exception of 0.0 and 0.255, which are the typical network and broadcast IP addresses for this subnet. Configuring this DHCP server is different on every device that you could have. Most home and small business routers have a nice graphical user interface (GUI) that helps you through the process.

Since the voice services that are provided are going to be through the computers and data devices that we connect, we don’t have to worry about special addressing for this. After all, we want our configuration and set up in a remote environment to be as easy as possible. Some good options for these services include applications like Skype, Google Voice, etc. You can also download “soft” phones that can act as a regular phone on your computer but is software-based.

File sharing is a must in today’s network. This can be as easy as plugging into a USB hard drive to the router and clicking a share button, or as difficult as building out a separate server with specific user permissions. Most routers have the capability to share files to users; some of the protocols such as FTP, SFTP, and SMB, are used within networks to do so as well. Some routers that have “easy share” type capabilities make setting this up easy, but severely limit the control you have and the granularity over the access to the drive. Let’s give our file share its own IP address, assuming that we take a chunk of a server and share it out; 192.168.0.3. Windows server makes sharing a partition of a drive relatively easy. You can typically right-click the folder and click on the sharing button to look at the options and share it out. What’s nice about this is that you can specify the permissions level for each user within each directory that you share. They can search the network (depending on the discoverability) or navigate directly to the share in Windows Explorer.

You can set up a Linux system as a file share, as well. The Samba application for Linux is a very common one that is used. So, with the drive size that you want on the Linux system, install Samba, create your users and passwords, identify the directory in which to share out, be sure to edit the smb.conf file to include all the necessary parameters, then restart the application. Your users should then be able to get to the file share from their machines! There are several other applications and methods used to create a file share. Just be sure to remember that permissions are huge when it comes to this. The principle of least privilege should be followed here.

Printer sharing is also somewhat of a necessity in today’s network. It will require its own IP address as well, so we’ll give that reserved address, 192.168.0.2. This is a fairly simple task to do with most modern printers and multi-function devices. Once your printer has an IP address, you can search for and install it in most computers very easily. Both Mac and Windows operating systems typically identify your first printer installed as the default, so having users be able to print shouldn’t take long at all.

As I mentioned before, securing our networks is a must! The printer ports that are open on the network are vulnerable. The file-sharing services and ports they use are vulnerable. If we use one of the voice applications, those reach out to the web. Those are vulnerable too! Access control lists (ACL) are one of the best capabilities that we have, especially when resources are limited, to logically control the access to certain devices, ports, and protocols. Within these, you can define the IP addresses that are allowed to access certain resources within your LAN. For example, if you limit access to the file sharing device to only a specific set of computers so you can better monitor the activity, you would need to define a rule within the router permitting those devices to access the servers IP. Preferably, defining the port or protocol used would help secure it more. After every access list, be sure to have that explicit deny (unless it is implicitly in there), deny ip any any. What this “deny ip any any” at the end of your access list does is block an ip address from accessing the resources. The “any any” part blocks all traffic where the ACL is applied, so it only allows the traffic listed prior to that statement. ACL’s work from the top down, the first match wins. So, let’s say that you have your printer hanging off of a network device. You want to only allow your 192.168.0.10 address to it. This is what your ACL would look like for that, being applied to the port the printer is connected to:

ip access-list extended PRINTER_ACCESS permit ip 192.168.0.10 192.168.0.2 deny ip any any ! Interface g1/0/1 ip access-group PRINTER_ACCESS in

This ACL restricts the traffic only going to the printer because it is applied to the port that only the printer is hanging off of. You can restrict these resources based on the IP, the MAC address, the port, or the traffic type with an ACL. So, these can be applied all over the place in your LAN environment. You can get as generalized or as granular as you’d like with them, giving you much more control over your environment than without.

Besides ACLs, we can control access to our network resources in other ways too. Assuming that you don’t have an identity management server, we can use MAC address whitelisting to only allow certain MAC addresses on the network. We can also use something called sticky MAC if we are using an enterprise switch to ensure that each port only allows a certain number of MAC addresses there. Of course, this is access control for the users. For administering the devices, you would want to harden the access to any management access feature that you have. Strong passwords are a must for these. ACLs as well. We don’t want users to be able to access these management functions.

Let’s talk about VLANs quickly too. At a minimum, you should segment your traffic using a few different VLANs. Never use VLAN 1 as the default. Define a VLAN for management access and management devices such as Active Directory servers, if this is something you have in the environment. Also, have a separate data, voice, and printer VLAN, all with their own levels of access on the network. Segmenting the network like this give you greater control over who can do what on it.

One last topic on the security of the LAN; device protection and user training. These go hand in hand. The antivirus, anti-spam, anti-everything software that you install is great. It helps out a lot, and it’s definitely a necessity in any network. But user training is essential. Promoting a security-centric culture is necessary to protect the environment. Teach the users about security. Train them on how to identify attacks and look for suspicious emails and popups. Driving this culture is key. In the remote areas, this LAN is their only access. If an attack is successful, their access could be down for a while.

As I mentioned in the WAN guide, getting Internet access to remote areas is coming. It will be an essential step in our evolution. Setting up the LAN is just as, if not more, important than establishing the WAN link. Consider all of the requirements when designing and implementing the LAN in an area with limited resources. Research the options available and the features that you want. Ensure that you have the knowledge, capability, and support to implement it how it should be implemented. Do it right the first time, so you don’t have to a second time.