What are the current thoughts about firewalls and Internet security. The problem is the complexity level of trying to maintain those perimeters, DMZs and firewalls is increasing. Massive firewall complexes with swiss-cheese rules, and huge network perimeters with numerous external access points are very difficult to manage. Although many of the oldest firewall creators have long pointed out the limitations of firewalls, currently practicing security consultants rely mostly on Internet security designs with firewalls, DMZs and defining perimeters. This may be partly because some security consulting firms are also VARs for firewall vendors; but I don't think its that simple. Currently my favorite summary of the issues, and one potential alternate security design is Network Security Credo T. Gray, et al University of Washington http://staff.washington.edu/gray/papers/credo.html What may be more interesting to NANOG is what should be the model Internet security architecture for public network operators? How do you define a security perimeter? Should ISPs install firewalls at every external Internet connection? Is there a different between carrier-grade security and enterprise-grade network security requirements? Is the Orange Book really dead?