My comment was originally prompted by the meeting minutes which reported on the survey data showing that 100% of carriers are implementing firewalls in their gateways. The 100% is what caught my eye. As the topic comes up in various places, large ISPs repeatedly say they are unable to implement filters or packet screening on their high-speed links such as at peering points. So the self-reported 100% implementation of screening and filtering firewalls at gateways didn't seem to jive with my understanding of the limitations faced by large ISPs. Firewalls can be a useful tool in the security engineer's toolbox. But they get misused a lot. I don't believe security engineers are better programmers. If there was a class of programmers in the world that didn't make mistakes, I would hire them to write the applications. When the firewall is more complex than the application server it is "protecting" which is likely to have more mistakes?