A local area network, or LAN, is a network designed to connect members of an organization -- from a couple of employees in a small business to hundreds of workers in a large corporation -- within a distinct geographic region. A wide area network, or WAN, interconnects LANs over a wider geographic area, such as offices for the same company in different cities or countries.
LANs and WANs differ not only in speed, data transfer rates and technologies used, but also in the threats they face and the strategies to secure them. Here's how.
A LAN is used for a single organization, company or department within a company and is not connected to other LANs. Because a LAN is local and its resources can be managed in-house, it should be inherently more secure. However, this does not mean there are no risks. Insider threats can exfiltrate sensitive data or introduce malware intentionally or accidentally -- for example, by falling victim to a phishing scheme or connecting a compromised device to the LAN.
Organizations can provide physical security for their entire LAN and all the connected systems by enforcing security policies and procedures for any person with physical access to the equipment, as well as identity and access management policies to ensure users on the network do not have unneeded access to data and systems.
LANs connect to the internet through a central router. Aside from the risks of a connection to the internet, routers specifically have many security considerations. Enterprises must be aware of the ports that are open -- which could lead to attacks against Windows Server Message Block or Remote Desktop Protocol; change router admin credentials frequently; and ensure no accidental backdoors have been found in specific router hardware.
Today, many LAN users opt for a wireless LAN, or WLAN, using wireless signals such as Wi-Fi to connect to network devices. This is not without risk, either. In the case of a WLAN setup, malicious actors can launch evil twin attacks in which a wireless access point is set up to impersonate a legitimate LAN access point and trick users into connecting. Using strong encryption and a VPN can help to mitigate the risks of an evil twin attack.
Another option organizations may consider is implementing a virtual LAN (VLAN) as a way to group physically disparate users or systems together or to further isolate certain data or systems from the wider LAN. VLANs are not without risk; they can be susceptible to VLAN hopping attacks if switches are not configured properly.
The widespread nature of a WAN -- connecting LANs in different locations -- requires a connection either through the public internet or via a dedicated connection provided by a third-party telecom. As a result, a company cannot know what physical protections have been made to the portions of the WAN controlled by third parties, if any.
A connection through the internet changes the entire threat model, adding more threats on top of those from the LAN-only environment. Because a WAN either connects to or passes through the public internet, enterprises will want to ensure security protocols include encryption for data in transit and proper configuration of routers and firewalls.
VPNs are a popular option for creating secure connections between locations on a WAN or for users connecting to a WAN. VPNs have the added security benefit of encrypting data but should not be considered an enterprise's only line of defense.
A software-defined WAN (SD-WAN) centralizes network control and enables agile, real-time application traffic management without overhauling an existing WAN. SD-WANs also enable access to cloud applications without causing the data bottlenecks a traditional WAN would.
However, with an SD-WAN, security moves from centralized firewalls to edge locations. This could require adjustments to the SD-WAN provisioning process or even a move to a software-defined perimeter or zero-trust environment.
When considering LAN vs. WAN security -- as with any computer system or network -- the first steps are to identify the threats to your specific system or network and prioritize what needs to be protected. Then, go about devising ways to provide the required protection.