Unique ssh/sftp requirement

I have a unique ssh/sftp requirement. I have two networks
separated by a firewall. I would like to allow anyone on my "internal"
network to ssh to my "external" network but I would like to control who
is allowed to sftp/scp files from my internal network to my external
network. How can I do this? Is there a way to do this if my firewall
doesn't support controlling such an activity? Will setting up some kind
of internal proxy/port forwarding server do the trick?

The version that I am using is:
OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004
HP-UX Secure Shell - A.04.00.000

Thanks for your help!
Jim O'Daniel
Unix Systems Administrator Northrop Grumman