There is a single perimeter firewall, which treats the inside of the network as hostile as the outside. If you are using one of the DMZ hosts inside, you may notice that you cannot connect to just any port that you wish on the outside. Non-DMZ hosts do not have this restriction, of course.
Every DMZ host has an additional host-based firewall.
Nearly all traffic to and from the network is encrypted in some way. The only protocol that doesn't have encryption enabled is DNS.
All system files are checked against hashes of known-good versions nightly. If anything does get through, we will know very soon.