I am planning on putting together a Linux based multi-service system on:

Pentium 3 500
768MB Ram
Dual Intel 10/100 NIC

The services I am planning on implementing are:

Firewall
Mail Filter/Forwarder
Web Hosting
Remote Access Server
Stealth Caching Web Proxy
Intrusion Detection and Prevention
Virus Scanning
Web Filtering

I know this is alot to be configuring and setting up as a fairly low Linux n00b, but our company is having way too many troubles with our current config and people getting access to our mail server directly. A little more detail on what I plan on implementing:

*Firewall
Currently, there is a SonicWALL SOHO firewall device being used by the company for protection. While it is a functional firewall, it is missing some of the later attack types in its database and does not allow for IDP, VPN, Virus Scanning, and only does port blocking (from what I can tell). The administration is quite simple, but is missing graphic reports on usage, attacks, connections, etc. I plan on keeping the firewall where it is for port blocking as it does that task quite well and adding the Linux server in-line to add stateful packet inspection, IDP, virus scanning, and other abilities that are available with a more modern and idiot friendly firewall package.

*Mail forwarding/filtering (SendMail?)
We run M$ Exchange 5.5 in the company for a few reasons. We have been under attack by outsiders a few times in the past 6 months trying to use us as a relay through various under-handed tactics. I would like to have the Linux system take in mail, scan it and then:
a. drop illegals
b. drop spam
c. drop virused mail
d. check for correct domain delivery and forward legal mail to the exchange server on our premises or remote sub-domain

*Web hosting (Apache?)
We plan on hosting a few sites locally, as well as remotely. We have some users that also use the Outlook Web Access. I need to have multiple domains pointing to various sites within the server or forwarding to the secure OWA mail server depending on URL entered.

*Remote Access (remote desktop?)
We are seeking to have remote desktop support for both administration of the servers as well as access to certain user's desktops with very high secure connectivity. Something similar to Terminal Services server with users logging in and being directed to their desktops based on login.

*Stealth Caching Web Proxy (Squid?)
Right now we use a crappy little M$ based proxy server for outside access. I would like to replace this with a true Stealth proxy for outside access. This is not a requirement, but it would be nice for security and some speed for frequently accessed sites. Any savings in bandwidth at all would be also beneficial.

*Stealth Caching FTP Proxy (JFTPGW?)
We very rarely ever have to use FTP, but I added this to the list as a thought of what we might need for that occasional access to the outside world.

*IDP (Snort?)
What would firewall protection be without some sort of Intrusion Detection and Prevention? A reporting IDP server that would scan at the application layer for abnormalities in protocol and only take action at 100% known illegal actions, but notify on odd stuff.

*Virus Scanning?
As stated above, I am seeking virus protection at the fringe of the network. Although we have Symantec Anti-Virus scanning incoming mail plus actively scanning servers and workstations, I would like to have a second opinion on each one just in case. A hueristic check on incoming would be even better since we were hit by the latest Klez worm before a fix was available and I had to pull the plug on half the machines. I know this is not going to catch everything, but a second chance at catching incoming virii is always welcomed.

*Web Filtering
This is not a requirement, but something that would be nice. Filtering out porn sites at the router/firewall would be perfect for alot of reasons: porn mail links won't work if they get through the spam filter and of course we won't allow users to go out on their
own to troll for porn on our connection/time.

*Usage Graphing (with per service graphing)
Tracking bandwidth usage, per protocol usage, and per IP usage is a good starting point. Being able to add more tracking later is key to a fully successful implementation though.

*Outlook access to Mail server from outside
While some users access their mail through the Outlook Web Access(OWA) service, we do have some remote users that access through an Outlook client from various places around the U.S. which we would like to keep. Forwarding Outlook client ports should be the only requirement for this to continue functioning hopefully, but if that is not true, I would like to know now so I can plan some other course of action.

*CD-Rom based
The best solution for security it seems at this point would be a CD-ROM based distro similar to Devil-Linux that uses a floppy for holding the config files. I am still looking into this choice, but I really want to make sure that is what I want by asking the gurus on the boards.

What I kinda need right now is a mentor to look over the shoulder, point me in the right direction, give software advice, etc.

Where are you? It sounds pretty complex - maybe there's someone who lives nearbye who could help out.

Since you are doing it for a company and its a fairly complex piece of work, you might want to think about paying someone for support.

I am in the Southern California area, little bit of a commute for you =)

This is a small company and I am the sole IT guy (sucks to be me in so many ways). I have already thought about bringing in a consultant for this, plus some teaching for me to understand what to do... unfortunately, I am at a point where I am begging management for $500 for a backup solution and they are having a hard time paying. Not exactly over-flowing with cash.

I am going to start on a clean install of SlackWare, secure the system, and then start adding packages only as needed for the services I listed above. I will probably have some gaps and errors, but I think it will be better than what is here now.

You could check out http://www.siliconvalleyccie.com/#Linux. It goes into good detail on quite a few of the services you are setting up.

IMHO you're about to put all your eggs in one basket and this could end up as a bad situation. If you *must* group services, I'd say this box could be a Firewall, Mail Forwarder and IDS in one. AFAIK a firewall is a firewall. Not a management centre and not a log prettifier. I'd say if you want pretty reporting, you could log to a remote syslog server and take it from there.

Mail.*\(JFTPGW\?\)
Not to disappoint you, but about everything from mail downwards is not a security forum question. Please search LQ and add such questions to the appropriate forum (mainly Linux - Networking Ic). In the case of mail try searching for Bayesian filtering like Spam assassin threads, for remote desktops you could look at VNC over SSH. Instead of worrying abt Pr0n filtering, wouldn't it be easier to make ACL's for allowed sites if you got a few?

Sorry, I know that alot of the listing wasn't security directed... but I am interested in securely using those services and the box in general has to be secure.

The reason I am putting all the eggs in one basket has to do with the available hardware. I was planning on getting a firewall appliance and then adding the rest of the services to the Linux system, but the money has been cut for the one I had selected.

I had also thought that having the firewall, IDS, virus scanning, web filtering, and proxy all in one would be the best choice since it would be the main connection outside the company.

I use VNC on one of our NT 4.0 servers, although it is slow as a dog for the connection and really unstable. My issue is not remotely accessing the Linux box, that would never be a problem. I have a few users that wish to work from home, but the data they are working on is almost a terrabyte and instead of traveling with this everyday between work and home, a remote access of their desktop at work would simplify things greatly. Something similiar to the pcAnywhere gateway server, where you attach to the server and then select the inside network desktop to be forwarded to, but much more secure.

Thanks for the replies, I am still trying to get Slackware installed on the one machine I have at the office for this work, but the SCSI kernel doesn't see the i960 controller/drive for some reason. Will have to beat on it some more tomorrow.