A recent post on the Firemon blog got me to thinking again about the arguments for and against firewalls. The effect of public cloud computing (IaaS and PaaS) has changed the situation -- strong firewalls sometimes can't be in front of every single server, and this seems to align with what I know of the Jericho Forum's positions on network security. I still like firewalls as a tool where possible, and here is why.
When implementing servers, even systems that do not face public networks, one of the hardening steps I like to take is to implement as much access control and monitoring as I can. Among the things I do is enable on-host packet filtering to ensure that only necessary network services are exposed, that only certain user groups are allowed to authenticate to the system, logging and monitoring systems are enabled, and no unnecessary services are running. This is good security posture at the individual host level, but is only one or two layers of security in the onion.
Implementing firewalls and DMZ areas in a network enforces security boundaries and forces network designers to think about vulnerabilities and security profiles of different systems involved in a datacenter. By the nature of firewalls, this enforces chokepoints in a network architecture. Systems with different services and security profiles ought to be isolated in an organization's network for better control, monitoring, and management.