Divide the network according to the security levels required by the different users and resources.
This also grants you better control of the security of the network, for example by concentrating the control resources on the most important areas.
The objective of firewalls is to filter incoming traffic to find out whether or not the traffic should be allowed into your internal network, like a gatekeeper. A firewall on each network boundary and host-based firewalls will reduce the exposure to attacks.
To protect your internal network from the internet you should have a correctly configured and up-to-date firewall on each network boundary. Workstations and servers with direct internet connection should have a host-based firewall installed. These host-based firewalls only protect the single device on which it is configured. If installation of a host-based firewall is not possible on certain devices, the reason why should be given.