An Example, portal.adams.edu:
For internet traffic to get to portal, it takes the following path:
internet
1) State router, filters and packet checking are possible here
2) ASC router, filters and packet checking are possible here
3) ASC firewall, filters, packet checking, and packet mangling are possible here
4) ASC router, see #2
5) portal packet filter rules, see #3
6) portal tcp wrapper rules, can be different than the rules of #5
If traffic reaches an actual running daemon on portal, like the Apache web server, the daemon itself can apply further restricitions of it's own such as IP based access rules and password requirements.
In the case of Apache, if an attacker were to break it, they could run commands at the privilege level of the Apache daemon, in this case a very restricted user level. If someone cracks in through Apache or another daemon other protections come into play such as file ownerships and permissions, software update levels, suid program checks, shadow files, wheel group, tripwires, and possibly even a chroot environment.