LAN Security Question- Switches, Routers, & Modems (oh my)

Is there any practical security difference for computers A between these set ups?

First Set Up
modem -> router 0 -> router 1 -> comps A
[INDENT]router 0 -> comps B[/INDENT]
The modem connects to router 0. Router 0 connects to comps B and router 1. Router 1 connects to comps A

Second Set Up
modem -> switch -> router 0 -> comps B
[INDENT]switch -> router 1 -> comps A[/INDENT]
The modem connects to the switch. The switch connects to router0 and router1. Router0 connects to comps B. Router1 connects to comps A.
In case it makes a difference:

switch:
NetGear FS105
router 0:
Linksys WRT54G
router 1:
Linksys BEFSR41

I should’ve said:

For comps A from troubles (infections etc) in comps B.

If comps B get something nasty like a trojan, virus or other which set up (if either) is more secure for comps A?

Cascading the routers like that is likely to lead to more trouble than it’s worth. It’s better to run ZoneAlarm on each machine if you’re worried that one machine may attack the other. That said, Setup 2 is likely to piss off your ISP and generally won’t work, as you’ll be attempting to request 2 IP addresses from your ISP. Also, in configuration 1 computer A will still be able to attack computer B.

Quantity of comps -7- means that something has to be done.

What if the switch were replaced by a router? That woudl eliminate the dual IP requests?

That’s what I’m afraid of. I don’t think that the comps B are well secured, and I trying to decide if it’s worth my trouble to monkey with them and maintain this security. As difficult as it’ll be (for interpersonal, human reasons), if it’s the best way to reduce my machines’ exposure, then that’s what I’ll do.

As in
modem -> router 0 -> routers 1&2

Are you saying you don’t have enough switch ports for all the computers? You can just add another switch or hub to the existing switch.

What environment will these computers be used in? Why do you feel software firewalls on each machine are insufficient? ZoneAlarm is free and quite effective at intercepting both incoming and outgoing malicious traffic. Plus, focusing entirely on one aspect of your network’s security will leave you vulnerable. A combination of effective anti-virus software, keeping up with the latest security updates, and avoidance of insecure software and unsafe downloads will do far more for your network’s overall security than firewalling all of the computers from each other.

I’m responsible for only three of the machines. I keep up with the Windows updates and patches. I run Zone alram and Sygate firewalls. I use NAV & AVG. I have a battery of anti-spyware programs.

HOWEVER, the other computers are not under my care.

They have not had up to date virus definitions for more than a year.
They have no firewalls (xpt one has XP’s built-in firewall).
They have no anti-spyware prgrams whatsoever.
Their OSes have not been updated and patched for some indefinite amount of time.
An eleven year old surfs unsupervised on one of them.
Because of the aforementioned factors, I suspect that these machines may be rife with malware of numerous sorts.

These conditions are not under my control.

I’m mostly worried about someone using a trojan from one of those machines gaining access to my machines.
I don’t want to shut down the useful connectivity among my systems.

Since you have firewall software and up-to-date software, you should be protected. However, if you really want hardware protection I’d recommend a true firewall device like this Netgear model. It has a router, but firewall-only devices tend to be high-end enterprise hardware. Basic NAT devices usually aren’t true firewalls, as they don’t analyze traffic. Though, since you’ll still be running a NAT behind a NAT you may run into initial connectivity issues, like DNS server access (Try manually specifying the DNS servers to be the ones given by your ISP). And, if you do anything that requires inbound connections, like online gaming, you’ll have to make sure both routers are configured correctly. Finally, whatever you end up doing, make sure that wireless router is properly secured with 128-bit WEP and a non-dictionary password, and if you do use cascaded NAT, that it’s the upstream router.

Oh, and if you cascade the routers you need to make sure one router uses a 192.168.1.x internal address and the other a 192.168.0.x internal address. If the first three quads of the IP address are the same the routers will become confused and won’t route traffic properly.

Thanks for the advice.