Insulating part of a network from internet

[Greg]

I currently have a small business network installed with
cable modem internet access. I am running Windows 2000
Server on the computer that shares the internet
connection. I want to network all of the computers to the
server, but I don't want to risk the other computers to
internet virsuses, etc. What is the best way to accomplish
this? Should I setup another server and domain for those
machines? These other computers only need access to the
internet gateway server for some infrequent file sharing.

Thanks,
Greg

 

[Steven L Umbach]

You should consider abandoning using Internet Sharing, unless your
server is a proxy firewall such as ISA and use a router/firewall instead.
You can get a true SPI firewall for as little as $80 from Netgear or a more
configurable one with higher throughput for the $400 and up range from
Netscreen , Sonic Wall, etc. Keep in mind that a firewall alone will not
protect from viruses/trojans. Most get in the network through email
attachments or another infected computer such as a laptop someone had at
home and got infected. Blaster and sobig just made that painfully obvious.
So in addition to a firewall, up to date virus protection that also scans
ALL emails, prompt patch management, and stong password policy -
particularly for any administrator accounts is needed. --- Steve

http://www.netgear.com/products/prod_details.asp?prodID=129&view=sb
http://www.microsoft.com/security/

 

[Greg]

Thanks for the information Steve. Actually, on the advice
of a friend, I am looking at purchasing a Cisco PIX 506e
firewall. I'm hoping he'll help me with the configuration
<grin>.
I have an average understanding of how viruses propogate,
but I guess my real question is: Is there a way to segment
a network so that the segment that has no internet access
is invisible to the internet, they cannot communicate in
either direction, and the computers that DO have internet
access are not mapped to these computers. The only way
these computers share info would be through a password
protected share. Would having multiple domains make this
more secure, or is that overkill? I just want to access
files on the server occassionly...and if I have to use a
password protected UNC, that's fine...I just want to know
what the best way is, without spending a fortune on
firewalls, routers, extra servers, etc.

Thanks,
Greg

 

[Steven L Umbach]

How many computers are you talking about total, how many on the internet,
how many not, and how many are domain controllers? --- Steve

 

[Steven L Umbach]

Also if the computers are all W2K/XP you could use ipsec. The non internet
computers could be put in their own Organizational Unit and assigned a
"require" policy. Then the domain controllers and resource server could
either have a rule created to exempt them from the ipsec policy by ip
address or the could be configured with a cleint/respond ipsec policy. It
probably would be best to exempt the domain controllers at least. Then when
any other computer attempts to communicate with those ipsec enabled
computers is the OU, the communications would fail [with very few exceptions
that should not be an issue]. --- Steve