I appreciate your suggestion. Your dual box, KVM solution is one that I've considered in the past from a security aspect, rather than platform stability. The problem I see is that, unless you want to pin a "kick me" sign on the Linux box, you also need anti-virus and firewall software. Not only does this requirement relate to Linux platform stability, but when you consider the files that you would be transferring from the Linux box to the Windows box, it raises questions of cross-platform infections. While I know there are AV and firewall solutions available for Linux, I remain unconvinced of their current compatibility, effectiveness and support.
How do you handle those problems?
--Boot Hill
Well i am unconvinced of the Security tools on the Windows side which is where 95% of the attacks are directed.
See this :
PestPatrol Shares Spyware Lessons ( Company will offer database of known... free.)
The magnitude of the problem is growing rapidly, well beyond just viruses, new exposures with internet Explorer being discovered everyday.
From Pest patrols entry:
Analyses from 4,140,000 pest reports submitted by PestPatrol users in the past 4 weeks, information on 124,146 pest objects (registry entries, directories, files), descriptions of 20,844 pests, and more.
I prefer a hardware firewall at the periphery of the network for several reasons. I've seen AV and firewall threads hang and stop working on desktop and server platforms, leaving you wide open without alerting you to the fact that the processes were no longer working. If you do depend on a software firewall, make sure the underlying OS is patched to date at all times.
Once behind a hardware firewall, you could allow Windows ICS to serve access to the net, with an additional software firewall such as Norton, Kerio or Zone Alarm, you could run Squid, Snort and Samba on the Linux box and let it be the gateway, or you could just patch all the computers into the firewall's switch ports and run with the single firewall. Note that the first two solutions, to be effective for more than just themselves, would require two NICs, one to the firewall, and the other to your switch or hub for the other machines to access.
Another option would be to run one box or the other connected to the net, and not proxy serve at all, using a seperate network for secure file and print sharing.
Frankly, a Windows box behind a hardware firewall, properly configured and patched to date and with current AV protection will defeat 99.9% of the automated vulnerability scans you will find on the net, as will a similarly set up Linux box. That leaves the dedicated cracker, who will find a way in eventually, no matter what you do. Fortunately, very few people ever attract the attention of such a person.
A good website for a wide variety of security software and ...network analyzers...is:
www.insecure.org