2. NIDS. Run a NIDS on all firewalls including one dedicated NIDS box in your DMZ -> could be instead of your win2k Domaincontroller. I don't know what a NIDS is. I guess Network Intrusion Detection System? Well I have not very much knowledge in that sector, but I will read as much as I can get on NIDS and install one. Thank you for that.
try out www.snort.org.
3. Domain controller in a dmz: U don't need that. We're talking about network layers not about application layers. I think I got that wrong. I thought that every computer in one network has to be registered in a domain controller, so I setup one for the DMZ (because this should be a seperate network) and one for the internal network. I changed that, and uploaded a new draft.
Make them stand alone servers and shut down netbios servers. I saw the draft. I think you're making yourself an unnecessary hard life with that proxy running 2 eths. Place the proxy INTO the DMZ not in front of it. The way you designed the draft now the proxy is a third firewall. If so, you have to make it a router routing from the same subnet into the same subnet. That means changing routes on the cisco and wasting two IP addresses for what security? This doesn't make sense because the firewall rules on the proxy and the packet filter in front of it would be nearly the same. This would only make sense if you made the proxy a non-routing application layer firewall for all needed protocols controlling the content of the traffic passing it. But I wouldn't do it for such a small DMZ. Its overkill.
4. Windows attached to the internet? If not a must for some reason, don't do it. Windows is expensive in any way. The problem is that our administrator doesn't know much about Linux,
He'll do well changing that in the near future.
and we have to use Windows as a Webserver because the pupils use Frontpage and ASP for their projects (I know that's lame, but I can't change that, sorry.)
It's not about being lame. It's bad for you keeping these windoze boxes uptodate all the time. I very well remember what nimda did to my win2k www server. No anti virus software ever will help you no matter how new the patterns are.
5. Proxy: You'll be fine running it on Firewall2. ok.
Oh, is it a http/https/ftp proxy? Or what services do you intend to run on it?
6. diversification: Firewall1 OS <> Firewall2 OS. What OS would you suggest if not both Linux?
FreeBSD and Linux.
Have a nice day,
u 2 Philipp