Security, Distributed firewalling application...long ;-)

[Sanjay Arora <sanjay.k.arora () gmail com>]

List:

We are a small company with a (very short) shoe-string budget running
CentOS 4.2. I am a newbie sys-admin and am planning securing the Network
as follows, please comment on design and if known suggest a GUI & policy
based ruleset generator that can additionally (preferably rsync the
ruleset over ssh) to the target machine & reset the ruleset.

WAN: A DSL link firewalled by an IPtables firewall, currently running
IPcop on this...may shift to monowall or pfsense..or maybe add
additional rulesets to the IPcop box itself. ssh, http, pop3, imap, smtp
redirected to internal IP space (192.168.) DMZ server running web-apps
and is the vulnerable target.

DMZ: Want to close all ports (in/out) on the DMZ server except for the
above services, with logging of all attempts from inside the lan or
outside.

LAN: 4 Servers running various services according to their jobs. Want to
explicitly close all ports (in/out) except the required ones with
logging of all attempts.

Other things to be done: 

1. Running an IDS on the local network (Snort).
2. Block all outgoing mail except from the official mailserver & running
anti-spam & antivirus on all in/out mails, with a copy of all logged for
archival/forensics purposes.
3. Block all outgoing ports except as required and log all attempts to
connect to blocked ports from inside or outside.
3. Install an application to get all iptables logs from all servers
including the perimeter firewall, into a database.
5. Get data from the perimeter IDS & LAN IDS into the database.
6. Extrapolate the database on regular basis for re-evaluation.

Comments are invited on the above. Also suggestions of open source &
free projects that can help my deploy the policy based firewalling and
all the above.

Why I need a GUI & policy based framework for implementing my firewalls,
when my requirements are static? Well, I may need to add additional role
to a server on the LAN, if any other server fails. In fact, I intend to
keep the services prepared on alternate servers, only not deploy them
redundantly. Secondly, never know when needs change and something that
is easily configured and deployed would adapt better.

Also, I have a question that needs answer. How do I allow IMs like
yahoo, msn, icq and transparently proxying & logging all business
chats...staff will be aware from IT policy that all email/IM are
recorded. We plan to run a Jabber server for Enterprise IM but how to
control the IMs?

Please critique..bang my head on floor & caution on the drawbacks of the
approach...advise...provide links/learning resources...share
experiences...and help me get it right.

With best regards.
Sanjay.