security advice needed please

I suspect I'm out of luck, but anyway....

Present system is a small LAN: two windows boxes (one 98se, one xp)
plus a freebsd box on an ethernet switch. The fbsd box connects to a
cable modem. The xp box has the printer connected, the fbsd box runs
samba and hosts the file system where our mail resides. There is file
and printer sharing between boxes, restricted in various ways. The
fbsd box provides firewalling, and all email access is via sendmail on
the fbsd box which does virus checking. I feel the system is
reasonably secure as it stands.

The problem is that senior son is about to obtain his own machine
(XP), and the pessimist in me suggests he'll, sooner or later, get it
infected with something I'd rather not have spread round the other
machines. I'm already planning on putting a third ethernet card into
the fbsd box, so he can sit on his own subnet and can be firewalled
off if necessary. I don't think there's an issue with him accessing
the samba server for mail, as any executables there are protected; but
he will need to access the printer on the xp box. I'm not well up on
windows networking, so a question is whether I can allow printer
access while preventing his machine from infecting others on the LAN.
Moving the printer to the samba server isn't really an option I'd
like.

Any other security issues that come to mind?

TIA.

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
regards. Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)


Mike Scott

In article <(E-Mail Removed)>, "Mike Scott"
(E-Mail Removed) says...
> I suspect I'm out of luck, but anyway....
>
> Present system is a small LAN: two windows boxes (one 98se, one xp)
> plus a freebsd box on an ethernet switch. The fbsd box connects to a
> cable modem. The xp box has the printer connected, the fbsd box runs
> samba and hosts the file system where our mail resides. There is file
> and printer sharing between boxes, restricted in various ways. The
> fbsd box provides firewalling, and all email access is via sendmail on
> the fbsd box which does virus checking. I feel the system is
> reasonably secure as it stands.
>
> The problem is that senior son is about to obtain his own machine
> (XP), and the pessimist in me suggests he'll, sooner or later, get it
> infected with something I'd rather not have spread round the other
> machines. I'm already planning on putting a third ethernet card into
> the fbsd box, so he can sit on his own subnet and can be firewalled
> off if necessary. I don't think there's an issue with him accessing
> the samba server for mail, as any executables there are protected; but
> he will need to access the printer on the xp box. I'm not well up on
> windows networking, so a question is whether I can allow printer
> access while preventing his machine from infecting others on the LAN.
> Moving the printer to the samba server isn't really an option I'd
> like.
>
I'd guess that the best way to do this would be to set up the Internet
Printing Service to run on a non-standard port on the XP machine, then
set up the routing and firewalling on the fbsd box to allow access only
to the required ports and only from your son's network, and disable any
bits of IIS that aren't being used. The advantage of doing it this way
is that you don't need to worry about NetBIOS traffic between the two
networks. The disadvantage is that you have to run IIS, but the
firewall should be able to take care of any security issues that may
raise. I'd have a play with it myself but I can't find my XP
installation CD, so I could be talking bollocks.