In my office, although we have firewall, intrusion prevention, gateway anti-virus and corporate anti-virus in addition to strict network policies, viruses still find their way to our LAN, especially thru email. In order to improve security and well-shield the company's resources, I was told to fragment our network in order to seperate the accounting server and workstations from the other servers and stations that do have access to the internet. The problem is, I'm not sure how to implement it exactly, especially that some of the computers in the accounting domain need to access the internet as well. I read some articles about network segmentation online, and some of them suggest using dual-nic interfaces to those computers who need to access two network segments. But wouldn't that defeat the point of isolating the accounting network from the internet?
Does anyone have any suggestion?
Thank you in advance.