The answer depends on the type of application, sensitivity of data, compliance requirements (HIPPA, PCI, etc.) and InfoSec requirements. Firewalls should always be place in the path while traversing from a lower security zone and a higher security zone. Having a DLP solution is a must. Firewalls and IDS/IPS should be place in the DMZ to filter any unwanted traffic. It would be ideal for none of these solutions to be a choke point in the network though.

Determining the right level of network security protection involves balancing security needs with business priorities, operational impact, and risk tolerance. Here’s an approach I would take: Risk Assessment and Asset Prioritization Compliance and Regulatory Requirements Threat Landscape and Attack Vectors Cost-Benefit Analysis Testing and Monitoring This approach allows for a flexible, data-driven decision about security, balancing protection, and practicality while aligning with business goals and available resources.

The starting point is all about the business. If the security impacts negatively on customer experience and how business is transacted then you’ve failed. There are many ways to skin this particular cat. But look at your customer path and experience, then at the data, where it is at rest and does it need to be encrypted. Then data in transit and does that need to be encrypted. How much segmentation is required (to prevent contagion)? Is zero-trust required? Be deliberate, make sure every layer of security you add has a purpose and doesn’t impact on the bottom line.

let's begin with those points which don't involve any extra cost and overlook my many firms. -Protecting your Public subnets by updating them in APNIC database, Hardening infra. ACL. -hardening security rules using filter like app-id,user-id. -Protect your SSL VPN by using strong ciphers whether you are using internal\external CA. -Enable MFA to access any device in network. -For Wireless security make sure you are using strong authentication protocols or method. In order to balance the cost with security -You can send you critical data to DC Firewall and purchase the feature's like Threat\Content inspections', SSL Decryption -purchase cloud based security solution for DDOS protection and DNS flooding to mitigate the attacks.

There are few factors to consider with network security. Thoroughly risk management is needed to assess the vulnerabilities. Even after taking necessary precaution and security checks, continuous monitoring is needed, because on daily basis vulnerabilities are increasing. Also, most important thing to take note is antivirus enabled, ensure its fully functional with firewalls being enabled on the endpoints. MFA is other factor which organizations are neglecting due to extra add on their self. Apart from this I would say obviously enterprise firewall and other security configurations needs to be enabled and monitored