said by jeisenberg:
. . . Silly me. When I purchased my most recent hardware router, I sold my old one. What I have done is taken the "vulnerable" PC and s/w firewalled it so that it doesn't have direct access to the remainder of the network. And I keep a library of daily backups of all machines, just in case.
When (and if) I do this, there's definitely going to be a second router/firewall inline.
As for using the software firewall (which I presume you're really using primarily for its logging function), I would point out that PhatBot, in particular, has a very extensive list of AV/AT/PSF applications that it will attempt to nullify -- and
Witty of these suckers is the only one I've seen to date that tries to work by exploiting a vulnerability in a particular PSF; the others rely on social engineering to get 'on the box'.
In other words, I would always consider the box in the DMZ 'at risk' (regardless of what security applications are installed on it) and I certainly would not depend on software applications (residing on
that box) to isolate it from the rest of my machines. (And it's gonna get worse out there, RSN.)