I think the other point that may be escaping some people, is that as more and more connections take on this VPN-like quality, as network operators we lose any visibility into the validity of the traffic itself.
As the network operators, we move bits and that is what we should stick to moving. We do not look into packets and see "oh look, this to me looks like an evil application traffic", and we should not do that. It should not be the goal of IS to enforce the policy for the traffic that passes through it. That type of enforcement should be left to ES.
Imagine how much more painful SQL Slammer would have been, if all the traffic was encapsulated in port 80 between sites, and only hit port 1434 locally?
How do you know which traffic is good and which traffic is evil?
At least today, we can decide that 92 byte ICMP echo-request packets are invalid, and drop them; or that for the most part, packets destined to port 1434 should be discarded as quickly as possible.
How does you IS know that a _particular_ ES uses port 1434 for? Alex