How secure is this ?

[Goosemaster]

Router1----Pc1
|
|
Router2
|
|
Pc2

ROUTER1:Linksys wrt54g WAN: DHCP / INTERNAL IP: 172.16.64.130

IP scheme:
-network 172.16.64.128
-subnet mask 255.255.255.128

Wired:
-NAT
-DHCP disabled; Only static addresses

Wireless:
-WPA-PSK TKIP or AES (AES is slow as hell though so I stuck with TKIP) resets @ 3600ms
-802.11g only

ROUTER 2:Webramp modified with Sonicwall firmware INTERNAL IP: 172.16.64.194

IP scheme:
-network 172.16.64.192
-subnet mask 255.255.255.192

Wired:
-NAT
NAT One to one
External IP: 172.16.64.133
Mask: 255.255.255.128
Internal IP: 172.16.64.196
Mask: 255.255.255.192

-DHCP disabled; Only static addresses
-Gateway set to 172.16.64.130

Hardware Firewall:
-Every port blocked but 80, netbios and smtp
-Stealth
-Netbios out WAN

PC1 is a multimedia PC that gets a lot of spyware, adware, and viruses due to inexperienced users.
PC2 is a business computer that must remain isolated from the entire network except via netbios.



Is this setup secure? (besides the fact that I am spilling the beans )
What can be done to increase security?

P.S. I am remembering this from memory so if something doesn;t make sense, please bring it up. The network was up and running, so it was setup correctly.....my memory however, isn't as slick

 

[BML]

What are you securing against? attackers? spyware? virus?

 

[Goosemaster]

Originally posted by: BML
What are you securing against? attackers? spyware? virus?

Anything shy of the devil himself. It is the company's accounting respository. They said they wanted to network both PCs but wanted high security.

 

[VirtualLarry]

I kind of glossed over the tech details like IPs and stuff, but ... let me get this straight, you want to network two PCs, one insecure, but one that should be secure, but you want to expose the secure PC's netbios ports to the insecure one? IMHO, "you're crazy".

You should either set up an additonal PC for insecure internet access, and set up a seperate secure LAN, with both the client and server business PC, or leave the secure accounting PC standalone, and set up an additional insecure PC for someone else to use to access the internet.

It's not so much of a technical issue, but a site security-policy one. Exposing a PC that is supposed to be kept secure, over a network, to a PC that is knowingly going to be running unknown, untrusted, insecure code (trojans/spyware/viruses/etc), is a foolish security policy decision. Best to have three PCs in this situation, and totally segregate secure and insecure machines onto seperate LANs. Remember, security is only as good as the weakest link in the chain, and allowing an insecure machine to communicate directly with a "secure" machine, is cutting a big hole right though your perimiter security defenses.

Edit: Err, first paragraph said for effect, didn't actually mean that personally, of course. Please don't take it that way. It's hard to connotate inflection on these boards.

 

[MtnMan]

Lot of detail about what you want to stop, but what are you trying to share between PC1 and PC2?

What shares and services do you have setup?