need to have
external access to internal network
external services available
for webpages, https only
all opensource software and network devices, so that there are no unknown back doors. When a security flaw is found, it can be fixed.
optimally, limit open ports on the external side below 1024. Most automated scans look at 1024 and below, since that's where the vulnerable ports are
internal network:
IDS: snort, looks for
unusual activity