When you've got a deployed server, run by clueful people, dedicated to a single task, firewalls are not the way to go.
Probably. And I would certainly rate "clueful people" _far_ above a firewall when it comes times to prioritize your security needs and resources.
What are you going to do with a firewall?
Compared to your average application, firewalls often have -better logging (more detail, adjustable, not on the vulnerable device); -vendors focused on security; -add-ons like IDS that can benefit from the superior logs; -firewall admins focused on security and who do security every day; -better response capability for unplanned/unanticipated security issues.
chose a resilient and flame tested daemon, and watch the patchlist for it.
You've never seen a security vendor come out with a patch or workaround before an application vendor? -- | Opinions are _mine_, facts Rob Quinn | | are facts. (703)689-6582 | | rquinn @ sec.sprint.net | | Sprint Corporate Security | | Computer Incident Response Team |