make your network safe - some simple rules
the most important thing is that you canalize the data flows in clear and strictly controlled channels like this
- all dns traffic should go to one or two defined internal or external dns servers - drop all the rest and control the computers that don't respect it (IRC traffic goes through channel 53 now)
- all mailtraffic should go through a defined mail or mailrelay server (all the rest drop it and control it because it is a strong indication of infection)
- drop all traffic except for those that are explicitly defined and as narrow as possible for exception traffic through exclusive ports (from ip adres x to ip adres y over port j).
- drop all webtraffic - except for whitelisted domains to the following countries and domains (.biz, .info, .ru, .br, .kr, .ar, .pl, .ro, .cn) except if you are of this country or working with it closely. The narrower the number of domains one can surf to, the better.
- refuse all traffic for services that have no place in a normal network like p2P, VOIP free services, chat and instant messenging, ftp except for exceptions
- drop all extensions in the email that except for exceptions have no reason of being in the mail like .exe, .bin, .pif, .jar, and other unsafe ones or you don't need for your work.
If you have the money, buy a proxy and you can block easily all sites that are infecting your network and antivirus and a good central firewall.
maybe, but you will survive virus crisis after crisis without your staff spending hours and hours of work on other things than IT projects.