Abstract Despite many research and development efforts in the area of data communications security, the importance of internal local area network (LAN) security is still underestimated. This paper discusses why many traditional approaches to network security (e.g. firewalls, the modern IPSec or various application level protocols) are not so effective in local networks and proposes a prospective solution for building of secure encrypted Ethernet LANs. The architecture presented allows for employment of the existing office network infrastructure, does not require changes to workstations' software, and provides high level of protection. The core idea is to apply security measures in the network interface devices connecting individual computers to the network (i.e. network interface cards (NICs)). This eliminates the physical possibility of sending unprotected information through the network. Implementation details are given for data and key exchange, network management, and interoperability issues. An in-depth security analysis of the proposed architecture is presented and some conclusions are drawn.