This isn't so much a tutorial, as it is a concept. If the moderator here wants to move this thread, feel free.

How many times has your manager come to you and said something to the effect of "We have a firewall, we're secure!"
Security is not a product. It is a process. Security is not a series of products, it's a constant battle.

Just as the OSI model has layers that define communications, security is best practiced in layers.

Defense in Depth is the practice of protecting your network and assets in layers. The goal is to ensure you achieve confidentiality, Integrity and Availability at every layer. I've defined 6 simple layers in my outline of defense in depth; 7 if you include physical security(which I didn't get in to depth about in this document). I've listed several common defenses that can be utilized for each of the layers I've defined. I've had to trim down the document in order to make this public.

The layers I've outlined are:
Data
User
Host
Network
Perimeter
External
Physical

Physical security transcends every other layer of security that can possibly be implemented.
Attached is a trimmed down document that I've created as a basic guideline for network administrators where I work. It's not all inclusive but it's designed to get the admins and their managers thinking about security as a process and not a single product. As I said, this list is not all inclusive, so please dont tell me things are missing. I know they are missing and that's by design. Feedback is welcome.