Hardware firewalls are always my best choice and also the concept of “quarantine” network could help you even more.
Try designing a multi-tier network with a dedicated segment of honeypots that should capture most of the malicious activities.
Some decent open-source firewalls exist. Check out Smoothwall to get some ideas about what is out there. You do need more than just a firewall though. Anti-virus and anti-spyware are musts to ensure layered defenses are in place. Remember the “DENY ALL” rule should be in place by default and only open firewall ports for required services. Do not install unneeded or unused services on computers that are exposed. Be sure to regularly apply patches and do not forget to update a system after reinstalling the OS or restoring from backup.
In the IT trenches? So am I – read my IT-Trenches blog.