Instead of smartcards, you could go with USB tokens, Authentium comes to mind. Or RSA SecureID. When we researched our two-factor authentication for vpn access, we really wanted smart cards but decided the initial and recurring hardware investment was too high.
To tell you the truth, I don't know if two-factor authentication is worth it's effort. USB tokens use a readily readable usb bus, and the tokens can be intercepted and replayed. Biometric - retinae scanners aren't reliable because your retinae can change, as they found out with pregnant women. Thumb scanners are great until your thumbprint is captured and reused - and you can't change your thumbs. SecureID is great until it gets stolen, or in the past had major problems with time sychronization (so then users can't sign in), and are expensive to replace. Cards require the card and the reader, but then people tend to leave their card in the reader.
And the funny part, is you do all this and you think you're protected... until you realize that if you boot into safe mode with networking supporting, you can get on the network without going through the two-factor process. Or if a laptop / desktop is stolen, a free copy of Knoppix or other ntfs reading tools can access everything on your hard drive without so much as a password.
For the best network security, there are a few things you should do. Set passwords at a minimum of 8. 7 or less characters can be brute force cracked in a reasonable time - and the 2k hash is shorter for less than 8 chars which makes it easy for hackers to target. Turn on password complexity requirements.
In case the drive ever gets stolen you can use low level encryption. I came across a vendor that actually gives this away for free - if you want to centrally manage it, it's $8k for a server. Basically encrypts the entire drive before the file system even loads, and you have to enter in a pin number before the machine starts up. (don't forget the pin if you didn't buy the server!) I have considered using that for a few of our departments.
And then after you have the two-factor and encryption, you think you're protected, but then again you're not. So the user has booted up and put in their pin, slid the card, and entered their complex password. Now they're logged in. They visit a site and installs spyware, which then installs a trojan, which then puts them on a zombie network. They keystrokes are being logged, the trojan is scanning their drive for financial information, and their machine is participating in a distributed spam network. So now you have to fix this one problem 3 ways - you need a web-filtering proxy, to prevent the user from getting to those kind of unsafe sites, you need an antivirus to prevent that type of stuff from installing, and you need patch management to prevent the exploits from being used in the first place that installed the spyware.
Great, now we're safe. Oops, we have laptops. Okay so now your machines can enter an uncontrolled environment, and vpn into your network, bypassing your own controls. So now we need a centrally managed personal firewall, and a vpn software/hardware with high encryption and a radius server. Don't forget to get some two-factor authentication for that vpn, because certificates and mac address filtering can be spoofed. Hey we're full ciricle.
