For a bit more than 2 years now, a new kind of software made their appearance in the computer security market, personal firewalls. These are numerous and vary in their functioning from one product to the other. For this reason, I recommend that you make a good research of which products are available and evaluate how they work, in order to find which one best suits the needs of your company. There are some links in Appendix A pointing to pages containing several personal firewalls that you can download, along with evaluation from previous users.
So, as I was saying, personal firewalls don't all behave the same, and it is on this point that I'd like to extend a bit. Let's take for granted that there is a firewall protecting the internal network from the Internet. What would then be the advantage of installing a personal firewall on a PC that works on the same principles as the main firewall, that is a firewall that filters incoming and outgoing traffic based on rules defined on some characteristics of the concerned IP packets? A packet sent by a malicious person that achieve to bypass the firewall because it conforms to the rules put in place as all the chances to do the same when it will be confronted to the personal firewall, since the chances are great that the packet will also conform to the rules of the personal firewall, unless the rules from the two types of firewalls are sensibly different.
Another strategy, that I find particularly interesting, is a personal firewall that manages incoming and outgoing traffic based on the permissions set for the application requesting the connection, in opposition to the source and destination of IP addresses and ports. This type of firewall also makes a difference between the internal and external network, which makes it possible to obtain a good granularity on the type of traffic accepted or refused. On top of that, this type of firewall is made to stop right from the PC any connection attempt made by Trojan horses, denial-of-service agents, and some spyware. It is possible, for each application on the PC, to authorize, to refuse or to ask for permission for each connection, either on the internal or external network. It is possible to determine which applications have the permission to act as servers, which means that it can accept connections from other machines on a specific port. Applications not defined in the permission list will always ask for permission by default.
This way, if a Trojan horse gets on the PC via an e-mail attachment, it will never be able to receive the connection requests sent by the malicious hacker, even if this one is located on the internal network. The danger with this strategy is to be too permissive with your applications. For example, if we leave the command prompt FTP tool to be able to connect every time (because its convenient for the user who uses it often), then it is possible for a cracker to craft a Trojan horse that will use the FTP tool present on the victim PC to send collected information out of your network without triggering any alarm. Other scenarios using other common used software are possible, so in the end it comes down to the risk exposure you are OK to cope with. But still, be careful when designing your rules. At a minimum, all command prompt tools should at least ask for permission, as they offer no graphical hint of their usage. At least, this way, your personal firewalls will work in a complementing fashion with your main firewall, instead of just being a redundancy of the same strengths and weaknesses.
In order to increase your network security, I recommend to only include the various servers on your network as being the "internal network". This way, it becomes impossible for a workstation to connect to another workstation on your IP network. This will force all electronic communications to transit via your servers (file server, print server, mail server, DNS, firewall, etc.) before getting to its destination, and makes it impossible(*) for an insider to hack into someone else's PC by the network. For more information about this, I will refer you to "Configuring ZoneAlarm securely" in Appendix A.
Certain products will still let you associate specific ports to each application, which lets you one more degree of granularity in your setup. Of course, in order to be efficient, we must have a good idea of what is installed on the workstations on the network, which network these applications should be allowed to connect (for example, internal network only for your mail client, internal and external networks for your web browser), ... By enumerating the applications allowed for network activity (that you should have detailed in your corporate security policy document), it then becomes easy to put standards that prohibits unwanted applications, such as chat clients, instant messaging, and the likes. Of course, to achieve this, the configuration has to be protected by a password.
As with antivirus, it is a wise choice to centralize your log files and keep and active eye on them. We will se later how to make pre-configured installation packets to deploy your personal firewalls effectively.
*(a note on "impossibility": although I am aware it is a strong word to use in computer security, what I mean is that with such a setup, and a close eye on your centralized log files, if somebody tries and succeed an intrusion, you should normally be aware of it before he succeeds)
3. Maximising antivirus protection
5. Optimising operating system security