Firewall recommendations for a busy Web server

What kind of firewall would you recommend for a government organization's Web servers that can expect tens of thousands of attacks in any given day? (Price is not an issue.) We plan to host on IIS using ASP, and Windows 2003 and IIS 6.0.

Without a lot more information about your needs and environment, it's impossible to provide a meaningful recommendation. Also, many books have been written to answer these questions so I can barely even scratch the surface here. I would very strongly suggest you find a qualified information security consulting firm to evaluate your project's needs and assist you with design and implementation. Proper firewall configuration is not plug and play, nor is it as simple as it may seem. Likewise, IIS is very tricky to secure and keep secured.

Implementing a defense in depth is critical. One layer of security, such as a firewall, will never be 100% secure. The more layers you have the less likely an attack will penetrate them all, so after you design the firewall architecture you will want to consider both network and host-based intrusion-detection systems (IDS) and intrusion-prevention systems (IPS). A properly configured network based IDS (such has Snort) on the DMZ segment with your Web server will alert you if potentially malicious traffic manages to get though your firewall, while a host-based IDS (HIDS) will alert you of potentially malicious events on the Web server itself. Network or host-based IPS try to identify and prevent malicious traffic instead of just detecting it as an IDS does.

Compartmentalization is another layer of defense. Any publicly accessible services, such as your Web server, should be hosted on a DMZ or "service network." This network is separated from the rest of your environment by either another firewall (ideally running a different firewall product and different operating system) or another interface on your main firewall (often called a "three-legged" firewall). Be very strict about the traffic allowed from the Internet to the Web server and from the Web server into the rest of the network. Also, do not place the database on the same server as the Web server. The goal of compartmentalization is that if the Web server is compromised, only that server and potentially the service network is at risk -- the rest of the environment, especially your important database, is relatively safe behind the firewall.