[ale] slightly OT: network structure

[jenn at colormaria.com]

I've been asked to put a Win2000 box that I will not manage in my cabinet at
our co-lo facility.  I'm considering putting this box in my DMZ with my
email and DNS servers and I'm wondering if anyone who has managed a
mixed-environment network could help me ensure that, should this machine run
amok, it won't hurt my other boxen?

I have a linux box acting as a gateway between the co-lo network and my DMZ.
The DMZ servers all run iptables firewalls, have unnecessary services turned
off, and are as securely set up as I can make them.  In the DMZ is a
firewall/NAT machine that protects some other servers.  Is this enough to
protect my DMZ machines should the windows box get compromised in some way? 
Should I put it on my private network and run NAT for its services?   I've
considered also replacing the initial linux gateway with a cisco or other
brand managed switch, and attempting some sort of vlan, but I'm  not
convinced this would make things better...and be a learning curve to boot.

What do you folks do in a situation like this?  The admin for this machine
has already agreed to follow the NSA guidelines for locking down a windows
machine, and anything else I can find for him.  All help is, as always,
appreciated.

TIA
jenn


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.