I have a customer that has an Microsoft IIS Web Server behind their
firewall.  Recently they were root kitted and we had to format the
server.  If we had a choice we'd use open source, peer reviewed
software but a vendor has mandated Windows and IIS as the solution. 
I'd like to improve the security of the system by locking out all but
authorized users (it isn't a public website).  Using IIS' internal
authentication doesn't prevent many of the known attacks so my thought
was to authenticate at the firewall.

So here's the questions (You knew they were coming, right?):

I know m0n0wall has an authentication system designed for use as a
wireless hot spot.  Can this be used on an external (untrusted)
interface to allow traffic in?  Does this authentication method work
over SSL and if it does can I also allow my http traffic once
authenticated in over SSL  on the same IP address or do I need to
assign a second IP to allow a second SSL stream?  Would I be best to
put m0n0wall outside our existing firewall (side by side) or leave it
behind our existing firewall and port forward to m0n0wall?

I know that putting an interface outside has its risks but I'm
guessing the http server inside m0n0wall is going to be much more
secure than IIS any day.  (Freebsd is peer reviewed!)  Are there any
security risks with putting the authentication page on the public
Internet more so than in a wireless hotspot setup?

When a user authenticates does that authentication apply to their
perceived IP address?  In other words if they are behind a NAT will
all users behind that NAT be allowed access once one user
authenticates?  This is acceptable to me because it still reduces our
exposure over "all the addresses on the Internet" having access and
our regular application security will still be in place.

Any other comment on these ideas are welcome.  I understand up front
that IIS stands for Insecure Infiltration System and we should replace
it so you can gleefully save those keystrokes.

Thanks in advance,

Mike