I need to setup a system that is completely isolated from the rest of the network, but it still needs to have internet access. This machine needs to have ports open to the rest of the Internet for web, email and DNS. Since it will have ports open and the rest of the computers on the network should be protected from incoming connections I believe this computer should be behind a router that forwards only the ports for HTTP (80), email (25, I believe) and DNS (51 I believe). I will have to double check the ports, but that's a bit irrelevant right now.

To keep the rest of the network isolated so that this machine (if compromised) cannot access the rest of the network I believe I would need a second router to block all incoming connections. The second router's gateway would be the first router's IP.

Here's a diagram to better explain what I tried to put into words.

My question: Is this the best way to go about keeping computer 1 completely isolated from the rest of the computers on the network, while still allowing them to all share the same connection? This is not a high-budget job, obviously, so these routers are not going to be Cisco or anything exotic.

// Edit: Forgot. I also think I could put computer 1 on its own subnet, 10.x.x.x and the rest of the network on 192.x.x.x just to help keep things as best isolated as possible. Would this matter?

These systems all have log in's correct? With limited rights? Just dont share anything. Lock it down. Not sure you need to have the extra router and switch.

Make it a different workgroup so the one cant see the others. There should be some way to do it w/o the extra hardware.

They have log-ins as stand-alone machines, not as members of a domain.

There are shared drives, as 1 of the systems is a file/database server that is independent of the web and it is imperative that system not be breached, but funds don't allow for two separate connections to the Internet--1 for the web/email/DNS server and one for the rest of the network where all incoming connections are blocked.

I'm not positive I need the second router/switch, but I think it is probably the easiest and most secure way to guarantee no unwanted access will occur. The few extra dollars for a second router and switch is not a concern. When I meant low-budget I meant not $5K on a Cisco router, not that $150 couldn't be spent for some extra hardware.

mmonnin said
These systems all have log in's correct? With limited rights? Just dont share anything. Lock it down. Not sure you need to have the extra router and switch.

Make it a different workgroup so the one cant see the others. There should be some way to do it w/o the extra hardware.