I'd recommend the use of opendns.com as a dns forwarder instead of your ISP's forwarders here. In my office I then customize it to block web sites like doubleclick.net Then ask yourself - is it necessary that your users go to facebook or another sites that bring in risk? XP is not the way to go here. Take a look at SBS Essentials (which hooks into hosted email) and then stick a true hardware firewall in front, or check out something line untangle which is a 'nix based firewall.

XP is not the way to go here. Take a look at SBS Essentials (which hooks into hosted email) and then stick a true hardware firewall in front, or check out something line untangle which is a 'nix based firewall. First of all, Susan, THANKS for getting at this :D !! As for the other suggestions, given it's a SoHo kind of setup I can agree and, sincerely I do believe that setting up an AD infrastucture using an SBS box may greatly help improving the "grip" on the network As for the firewall... well, probably a hardware box (whatever brand, as long as it's a decent one) may fit the bill; if, on the other hand one wants to go for a "built box", while untangle is a good pick, my choice goes to PFsense; the critter is built over the "m0n0wall" foundation and runs on the same h/w but offers much more :D or, if one wants to go down and lock traffic at low level, there's ZeroShell, the critter allows you to perform Layer-7 filtering (and this isn't so common :D) so allowing you to cut off (or control) P2P, IM, VoIP and a whole bunch of other stuff ... although it's more complex, so probably Untangle or PFsense may better fit the bill here. In either case, I do really think that running an SBS server box (and NOT an XP "simulating" a server) may be the key here

Due to increased unknown mal-ware getting onto computers at a small business I am managing tech for, I want to add a computer as a hardware firewall, incorporating a file server for backing up. My question regards the best way to go about this. I will have a computer running a simple OS, most likely XP pro. 2 new RAID 5 1TB HDD's for file serving 2 10/100 NIC's, Broadband and LAN down the road possible Hmail server and apache what is the best way to go about implementing a firewall between the 2 NIC's?mountain climber

Due to increased unknown mal-ware getting onto computers at a small business I am managing tech for, I want to add a computer as a hardware firewall, incorporating a file server for backing up. My question regards the best way to go about this. I will have a computer running a simple OS, most likely XP pro. 2 new RAID 5 1TB HDD's for file serving 2 10/100 NIC's, Broadband and LAN down the road possible Hmail server and apache what is the best way to go about implementing a firewall between the 2 NIC's? First of all, this forum is dedicated to windows server platforms and, sincerely, I don't think that Windows XP professional may be considered a server platform That said, using the same box as a firewall and a file server isn't a good idea from the security standpoint and, sincerely, using XP as a "file server" sounds quite crazy to me, again, XP isn't a server and has sharing limitation which will seriously impact your setup Then, if you still want to use XP as a "firewall only" you may do so by using the XP "Internet Connection Sharing" functionality, but be warned that such a feature is designed for very small home networks and, on a regular AD network with its own DNS and DC it may have negative impacts or even break your network connectivity As a last note; given that you're talking about a small business, my hearthly suggestion is to have a look at the Microsoft Small Business Server edition which may possibly fit your needs

Also, and since we're at it; it may be a good idea considering to acquire a real hardware firewall (given you wrote about a small business, you may look at Zyxel, LinkSys or Draytek products) which you'll then place between your network and the internet and then to setup a Small Business server which will allow you to setup an ActiveDirectory infrastucture and have better control on your network and which you may also use as a fileserver

thanks Obiwan, I'm looking at a Firebox SOHO 6 firewall, which has stateful packet filtering. I realise this device is quite old, and I'm hoping it still has the required filtering as far as a hardware firewall. As far as setting up an Active directory, I have done this once before basically as a test. I've never really had that much experience with domains, which would allow laptops to work on the LAN aswell as working with home internet connections. I'm not sure if an active directory would provide better protection than simply a good antivirus (Webroot anti-spyware and anti-virus) on all LAN computers combined with a hardware firewall and openDNS?? mountain climber

Thanks for that, I'd never heard of openDNS before, so that may explain why all the computers on the LAN were experiencing problems with page requests!mountain climber

thanks Obiwan, Well... I'd thank Susan too :) ! I'm looking at a Firebox SOHO 6 firewall, which has stateful packet filtering. I realise this device is quite old, and I'm hoping it still has the required filtering as far as a hardware firewall. Whatever "edge" firewall will be better than no firewall at all; the choice is mainly a matter of budget and features; the untangle which Susan suggested isn't a bad pick; another good pick may be one of the NetAsq SoHo products which implement a quite good UTM solution for small businesses As far as setting up an Active directory, I have done this once before basically as a test. I've never really had that much experience with domains, which would allow laptops to work on the LAN as well as working with home internet connections. I'm not sure if an active directory would provide better protection than simply a good antivirus (Webroot anti-spyware and anti-virus) on all LAN computers combined with a hardware firewall and openDNS?? Implementing an AD environment will allow you to centrally manage your infrastucture by using grpup policies (GPO), handling users and groups and, in general, setting up some common infrastucture policy and monitoring which won't just help you achieving better security, but will ease the task of monitoring and administering the various systems so allowing you to react more quickly to threats and, in any case, to detect them faster As for the antivirus, keep in mind that a regular desktop AV solution won't be a good pick; you'll need a centralized AV solution which will allow you to ensure that all clients are up-to-date, to configure AV settings for all the clients from a common management console and to receive alerts in case of threats of issues on whatever client; you wrote you're using "webroot", well, set aside any opinion on the product, I just hope you picked the "business" version of the product and not the "home" one; an alternative to your current solution may be this one, notice that it's just an example and that there are a number of similar products around, just... avoid the "home" ones since they won't fit in your case