Probably one of the most important ways to protect private networks while still providing services available to the public Internet is by using a perimeter network. Often called a De-Militarized Zone (DMZ), it is a buffer between attackers and your internal network.
In the previous diagram, there are two architectures given. The traditional design uses two firewalls with the perimeter network placed in between them. The reason for this is that if the external firewall which is exposed directly to the Internet and attack is compromised, the attacker still has to get through the internal firewall before he has access to systems on your internal network. Experience has shown that firewall compromise is uncommon enough that a single firewall can be used reasonably safely, as shown on the right. The dual firewall architecture is still preferred for high security environments.
In all cases, the only systems that can be accessed from the Internet are those on the perimeter network. Those servers must not have any access to internal servers through the firewall. Internal servers can connect to the perimeter systems and thus allow two-way communication, but servers on the perimeter should never be able to initiate connections to internal systems. This prevents a compromised server from further endangering your internal network.
So, now you have your system properly firewalled. As mentioned previously, you will still be attacked, and eventually compromised. The next section deals with how to detect both the attempts and any compromise as soon as possible.