More about the architecture

I have to admit I am a little bit lazy now.. I copy this text from one of an internal AppGate paper....but I do this to show that it is not that complicated to build a more secure and cheaper architecture for security. The base of the solution is that a user should never see any resources on the network before he or she is properly checked and indentified...to use a new world expression...the firewall is a part of the access system.
1. User finds a machine and connects to an AppGate Security Server.
2. The user is authenticated; ideally, the user should only have to log in once to the system (‘single sign-on’) which is possible for many services.
3. The AppGate Security Server checks availability of possible services (authorisation) for the user. Availability may depend on many different parameters for example based on authentication method being used and the user’s physical location.
4. The system provides the user with information about service availability and the user selects a role depending on what he/she wants to do (this step can be optional and all access could be completely transparent for some users)
5. The AppGate Server will allow authorised users access to requested services while blocking all access to unauthorised users. This makes internal services completely invisible for all unauthorised users regardless of who they are and their physical location .
6. Traffic is normally encrypted to provide message integrity and/or confidentiality over the networks. This step actually makes it possible to use both internal networks and the Internet for transport and makes the borderline between them less important.