Wong,
Using the bastion host paper that Michael provided a link for also includes a "white" paper for 10.20:
http://people.hp.se/stevesk/Using it with the combination of the other ideas posted here will help you "protect" your hosts. When providing any kind of internet products, it's also a great idea to have not only a fire wall on the outside (facing the internet before your servers), but also behind your internet servers (before it hits your corporate lan). Your internet area is usually called a DMZ. Here we have two different vendors, a Cisco pix on the outside, bastion hosts (see the link above) and then a Checkpoint or a Raptor (depends upon the app) firewall on the backend, plus our routers filter the crap out of things. We use VERY direct routes, meaning every connection from the DMZ back to the corporate lan has static routes, not only on the HP servers, but also within the routers, and firewalls. It's also very important to limit the ports that are open. the fewer the number of ports open (like 80 - http and 443 - https) the more you can CLAMP down.
live free or die
harry
Live Free or Die
