Hi Ryan,
* Ryan Swenson;
Togan - you are lucky given your current setup... here some answers.
I have been rereading Building Inetrnet Firewalls probably the 10th time and I hope at least I designed it with minimum mistakes :-)
1. Stategically you can decide where you want to put an IDS however in your scenerio you are even more or best capable of using 2 IDS. One on your external FW, and one on your Internal firewall. You may have a single Database inside on your management system as well as now a single management www or some console.
You could now watch all in/out traffic leaving your external space and apply policies here. Internally you could now see all traffic leaving and entering your internal firewall which correlates some of the external NAT/MASQ traffic as well as Internal NAT/MASQ traffic. In this you could also have Porn or Info rules.
2. Single Snort IDS is best place between external and internal firewall. Or more so installed on the external firewall but configured as such to see traffic destined... Personally I offload Snort to its own box, and use a switch thats capable of SPAN.
I had the idea of putting snort to its own box also but I was confused where to put the box ( Guess time to reread Snort Usage, FAQ and Maillist
2. Put the Squid server on the Internal Firewall. thats a given.
Agrred
3. Syslog server inside internal network. Suggestion is Syslog-ng for security enhancement. Use logwatch + scanlogd on the syslog server.
4. if you can afford it obtain Cisco 3500XL switches for the money. Not only do they provide L2 but also allow limited IOS feautures. They support 2 GBIC links, you simply assign vlans to best cut down storms and provide segmentation.
It depends to the goverment office ( I have told them about the promotional campaign here we have in Turkey for the 3524XL series) Thanks for the valuable info -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx