FW-1, HTTP access and strength of IIS security

["Briercheck, Scott" <brierchecks () msx upmc edu>]

I'm hoping to get a little advice.  I'm setting up an IIS 4.0 website that
has code to manage its own logins and user state (it doesn't just rely on NT
directory security - you can have a "web" account on the site without having
an NT account on the machine).  The "web" account IDs and passwords are
stored in a SQL 7.0 database that will also be behind the firewall.  

In front of the web site I'm planning on putting FW-1 running on Solaris.
The firewall will only allow SHTTP to the IIS web server on port 443.  I
expect that it should look no different to the web user than before I put
the firewall up.  Other than SHTTP, nothing else will be allowed through.

My first question is this:  Is IIS + FW-1 sufficient security for sensitive
information.  I've been told by various security consultants that it is, but
I'm starting to have reservations.  I know that nothing can guarantee
against a break-in, but is this a good choice - can I feel reasonably
confident relying on the Firewall plus the IIS-supported login to be my
primary mode of security (assuming MY code is good....is IIS 4.0 good
enough)?  I worry about buffer overflow attacks, and other types of hacks,
since I will be allowing SHTTP through the firewall and right to the
website.  This means that I need to rely on IIS being robust enough.

My second question is a followup to the first:  Can I enhance the security
by having the users be forced to log into FW-1 at the firewall before
granting access to the website?  The FW consultants and I discussed the idea
of putting a RADIUS server (from Livingston software) into the security
package.  The Radius server would authenticate users at the Firewall (using
their login ID stored inside the SQL 7.0 database).  With this setup, not
even SHTTP would be allowed past FW-1 unless the user first authenticates at
the Firewall to gain a connection.

The problem is that I'm being told this "firewall" login would have to be
done in HTTP (plain text), and not SHTTP.  I had hoped to have a single
login for the users, but I do not want them sending their password in plain
text.  This means that I would need to add a one-time password scheme
(secure-ID card ).  If they successfully log into the firewall, then they
have a second login at the IIS login screen to actually access the website.

The third questions is:  Has anyone implemented this type of "firewall"
login using a Radius server (or something similar).  Is there something out
there that supports HTTPS for the firewall login.  I would really rather not
implement a secure ID card if I don't have to, as we will be dealing with
many distributed users, so card management will be a pain.

Thoughts or comments are appreciated.

Thanks,

Scott

brierchecks () msx upmc edu