Policies for Securing the edge

All,

Looking for some guidence/policy/best practices ideas for securing primary
inbound internet traffic.  I posted here because I'm more interested in
setting policy and not the specific technical details.  This is prompted by
my initial investigation into upgrading our infrasturcture and having to sit
down and define what I expect these devices to do or specifially perform and
determine which vendor performs those functions the best.

For example:

Edge Router:  Do we look at the edge router as more of a performance based
device rather then a security device and rely on the enterprise firewall to
perform primary security functions?  Given a "best of breed" firewall, what
should I expect my edge router to do? Should I only expect it to do address
filtering and other fundamentals or look more towards managing half-open
sessions (rates & numbers) or udp sessions and how long they should be
allowed to be opened etc...

Firewall:  If I have a "best of breed" firewall, is centralizing security
into this box and maximizing its use more productive and allow the edge
routers to just pass traffic as fast as possible. 

IDS: same kind of issues. 




What kind of policies have you set that define what the role of the edge
router/firewall/ids/internal routers to ensure threats are mitigated.  There
is (can be) overlap on the fuctions of all these devices i.e., running a
firewall feature set on the edge router.

Thanks for any insight..  sorry if I rambled.

-jeff