Is my network setup safe?

[tuuf]

I have a LAN running win2k server and 6 workstations running win2k & winxp.
This LAN has no access to the internet yet I have 2 of the workstations with
internet access via a 2nd NIC. connected to a router and DSL connection. On
these 2 workstations I run antivirus software. Am I kidding myself into
thinking this is safer than just allowing the server to access the internet?
The server and 4 workstations have no protection.

 

[Malke]

I have a LAN running win2k server and 6 workstations running win2k &
winxp. This LAN has no access to the internet yet I have 2 of the
workstations with internet access via a 2nd NIC. connected to a router and
DSL connection. On
these 2 workstations I run antivirus software. Am I kidding myself into
thinking this is safer than just allowing the server to access the
internet? The server and 4 workstations have no protection.

It's marginally safer but if one of those Internet-enabled workstations gets
infected with a network-aware worm, your entire network will be infected.

Malke

 

[Jack [MVP-Networking]]

Hi
If the infection is the type that needs a connection (like Trojans) there
would be some minor additional safety in dividing the Network into two
independent sections.
However most infections infect the Hard Drive in general. Since the HD is
used for both Networks it probably would spread the same way as if it was on
one Network.
Jack (MS, MVP-Networking).

 

[tuuf]

Thanks for the reply.
I also was wondering if I have the workstations (with internet access) to
log into themselves (rather than the domain) --- would this provide any more
security if I would get a worm?

 

[Malke]

Thanks for the reply.
I also was wondering if I have the workstations (with internet access) to
log into themselves (rather than the domain) --- would this provide any
more security if I would get a worm?

Here's how we handle this for one of our clients. They only want one
computer to have Internet access. We have one workstation set aside for
anyone to use and it is running Ubuntu Linux and doesn't share files with any
other machine. Problem solved.

Malke

 

[Anteaus]

A complex question with no single answer.

I'm glad to see you're using a router and not a USB modem, which is probably
the first and foremost security step.

I hope the Internet stations, if W2k, aren't using IE, as the versions
available for W2k (5/6) are very insecure. Firefox, Seamonkey or Opera are
W2k-compatible.

W2k doesn't have a firewall. This one works quite well,although it's a
little complex to set up:
http://www.oldversion.com/Tiny-Personal-Firewall.html
This does not work too well on XP, but then not needed there
Tip: to make it behave more like the XP firewall, create a rule allowing all
outbound traffic. This should stop most of the questions.)

As to whether it is OK to run desktops without AV software, that depends
very much on the kind of users they have and how security-conscious they are.
Bear in mind that viruses long predate the general use of the Internet, and
can be transmitted via floppies, USB memory, CDRs etc. I would certainly
inhibit autorun for all media types to prevent accidents of this kind.

If you don't need on-access scanning, ClamWin AV will provide you with
on-demand checks at no cost. http://www.clamwin.com/

As to whether the server can access the Internet, this should be largely
immaterial since only responsible persons should be able to use its console.
In general it makes things so much easier for the admin to download patches,
drivers, etc. that I always make it so. Definitely use a secure browser,
though, and don't install stuff like Java or Flash on a server, just the
basic browser.