Project to design a internet security plan

As I mentioned I have been researching and reading and I am more confused now than before.

Welcome to InfoSec!

The company will use only a web server, an exchange sever (for email), need firewall, malware, honeypots,wireless (wans) for laptos and cells phone browsing as well as hardening servers and ftp acess and having intrusion dection solution

Ok... I'll put down what technologies you should google/research for each corresponding need. I could go into detail about some of them but I don't think you want a 20 page reply!

Web Server - Microsoft IIS Server, Apache

Exchange - Obviously Microsoft Exchange :)

Firewall - Microsoft ISA Server (I don't think it gets better than ISA), IPCop and m00nwall are also other good alternatives but lack Active Directory Integration.

Malware - Trend Micro, AVG (don't do the Norton thing...its tempting but the company has the WORST support I've ever seen)

Honeypots - I know nothing of the sort...

Wireless - Some hardware you could use... Linksys & Cisco WAPs. You could also integrate Windows RADIUS and PKI technologies into these too.

FTP Access - You can run that off your IIS server, or a separate Windows IIS Server...or even better yet, just use a VPN (IPSec or PPTP, Microsoft RRAS Server) if you need to move files to the internal network from trusted sources through an encrypted tunnel. (FTP Protocol transmits u/n and pw in plain text)

IDS - There are a ton of software solutions (some of which would even integrate with your ISA Server), however Snort is highly recommended in the community...and when considering an IDS you also want to keep in mind your threats don't always come from the outside!

Hardening Servers - Microsoft machines have policies and templates you can use to harden machines by default (for example the hisecws.inf and hisecdc.inf templates). Before you read about hardening machines its best you have a thourough understanding of Active Directory Infrastructures and how they work etc. Some good resources for this would be Microsoft's 70-290 Exam (Microsoft Server), 70-291 (Implementing Microsoft AD Infrastructure), 70-293 (Planning Microsoft AD Infrastructure), and 70-299 (Implementing and Administering Security in AD). Here is a guide from Microsoft about hardening their machines.

http://www.microsoft.com/downloads/details.aspx?familyid=6A80711F-E5C9-4AEF-9A44-504DB09B9065&displaylang=en

For everything you have mentioned, Microsoft makes a product for, or provides a platform for a proprietary solution to operate on. Doing this easily and centrally managing everything in a smooth fashion would obviously require an Active Directory Infrastructure (something you should google too). I have a feeling though you are going to be overwhelmed once you read up on some of these technologies, but its something we all must do to keep up with the field.

Obviously there are Linux/UNIX/*nix alternatives, but that would turn your "project" into a distributed thesis as far as scale and depth are concerned.

I hope this helps, let me know if I can be of any more assistance.

Jon

Web Server - Microsoft IIS Server, Apache

that depends on what the company is using. in any case, apache is much more secure and robust, especially v1.3

Exchange - Obviously Microsoft Exchange :)

yup. 2003, not 2007, cos it's still a bit buggy. in any case the mail server must have a front end, I use postfix with clamav, spamassassin and several other techniques, but there are quite a few other solutions.

Firewall - Microsoft ISA Server (I don't think it gets better than ISA), IPCop and m00nwall are also other good alternatives but lack Active Directory Integration.

oh yes it does. ISA is the easiest in use, not the strongest. if you're after a secure solution, you need cisco pix or checkpoint splat ng R6x

Malware - Trend Micro, AVG (don't do the Norton thing...its tempting but the company has the WORST support I've ever seen)

yeah, norton is the worst possibility right after microsoft onecare

Honeypots - I know nothing of the sort...

these go into the mail frontend

FTP Access - You can run that off your IIS server, or a separate Windows IIS Server...

do NOT use IIS for that. IIS has the worst FTP service out there. especially if you try to ftp large files.
Proftpd, VSftpd or any other solution, with an LDAP backend, to integrate them into AD are the best.

or even better yet, just use a VPN

usually implemented on the firewall server.

(IPSec or PPTP, Microsoft RRAS Server)

doesn't have to be microsoft. pptp isn't secure at all, and IPSec is pretty hard to administer and implement. Checkpoint has an excellent solution for secure VPN.

Obviously there are Linux/UNIX/*nix alternatives, but that would turn your "project" into a distributed thesis as far as scale and depth are concerned.

actually, for most of the *NIX solutions there is a howto out there. very easy to understand

in any case, whatever you put in your DMZ should NOT be MS based. Microsoft servers are okay if you use them internally, but sticking them out for the world to see is asking for trouble.

Honepots face the world and log an intruders attack on the honepot system/machine.

They are not a usual component for a business.