Network architecture and viruses

[DoGG]

hi ho,
On occasion I fix peoples machines and have found that some of these machines have infected other machines on my network.Is there any way to keep my machines on my network with internet access but physically segregate new machines in case they have a network aware virus.I was thinking cable modem to switch then setup each machine with its own router?
Dont think dual or triple homed machines with dmz would help because the threat is internal...

[glc]

Before connecting the customer's machine to your router, bring it up standalone, disable NetBIOS over TCP/IP, disable Client for MS Networks, disable all protocols except TCP/IP, and disable filesharing. This will still allow you to get the machine on the Internet.

[DoGG]

K...if I do these 4 things there is no way i can get a network virus from an infected machine?

[mbossman2]

depending upon your size and budget there are some powerful applications to do exactly this but they ain't cheap:

http://www.cisco.com/en/US/products/ps6128/index.html

[glc]

Forgot 1 thing - make sure the customer's machine is not using the same workgroup name as yours. Make sure all your machines are using active virus protection, software firewalls would be another layer of protection. I would not say "never" but all this sure sounds pretty safe to me.

[DoGG]

Ok thanks you 2 for the info.Was it you GLC that owns your own shop or was it HAL2000 maybe.If it was youis this the procedure that you use in the shop?

[glc]

I don't go to that extreme for a few reasons. My network has NetBIOS over TCP/IP disabled anyway, I fileshare with NetBEUI, and my workgroup name is quite unique. All my machines have Zone Alarm and AVG. Most of my work is done onsite, but when I do bring a machine in, I look it over standalone before plugging in the network cable, if it's got critters I clean them up with command line McAfee which I keep updated on my USB key.