Here Marcus says also that he does not agree with the approach of De-Perimeterisation (moving the firewall from a centralized position to each host).
I admire him and respect him a lot, but I see that he can't imagine a world wihout firewalls, being one of the fathers of the firewalling technology….
But that's provoking. I mean it's just a tease to say that we don't need firewall at all.
Firewall is still necessary, but it will slowly loose its centrality, that's more the point, IMHO.
Attacks will and DO happen more at the application level only, to the point where you pass THOROUGH a firewall anyway, with those ports that are open everywhere (HTTP anyone ?).
So we should harden the machine and protect them LIKE IF there was no firewall.
I do like the De-Perimeterisation instead, like Steve riley says in the "death of the DMZ" (Italian Article/Translation here – Original Speech here).
Sure, ONLY taking care of the data is not enough, and the problem of Transitive Trust he mentions makes sense.
But again, ask 100 to get 10. If you push it to the extreme limit (=no firewall at all) you maybe get people to HARDEN their machines finally.
Then if you got both (hardening AND firewalls)…. well, that's better.
I think at the end of the day what really counts is INCREASING the security measures TO THE HOST level…. so you don't *just* rely on a firewall like many corporations have been convinced to be able to do for years… while being wide open in the soft center with a crunchy shell….