In practice, the biggest difference between infected computers and non-infected computers appears to be the age of installed patches. The debate about AV/firewalls is a bit of a red herring. On Mon, 20 Dec 2004, Fred Baker wrote:
I guess my question is: why rely on a firewall at all? Yes, a firewall at ingress to a network will reduce the probability or effectiveness of an attack from "outside" in many cases. But in many cases the infection is from "inside", and in any event something in the network or in the end system at the edge of the network can only really address link and network layer attacks effectively.
Standalone firewalls (network/hardware firewalls) are useful administrative boundaries, but are limited security tools especially in a world of mobile laptops and tunnels. Inside/outside is very blurry for most home users. Almost everything a home user does is "outside" the home network perimeter. The reality appears to be network worms are only one vector for compromising a computer. I'm not sure network worms are even the most common infection vector today. Although I think standalone firewalls are a Maginot Line, I still perform the initial bootstrap and patching of new consumer-grade computers behind a standalone firewall. The options for dialup users are even more limited. However the lack of patching seems to be a bigger problem for dialup users.
I personally would far rather presume that the end system is responsible for its own security, and that there are security considerations at every layer. Reduce the incidence and track attacks with network-based tools, but in the final analysis build the applications and stack code to withstand attacks.
You are almost always safer turning off the service on the host, rather than letting the service run and trying to block access. Trying to figure out all the possible communication channels is very difficult. If you build your own system configuration, by simply not installing or running unnecessary services eliminates both known and unknown vulnerabilities in those services. Some operating systems make it very difficult to discover what is running on the computer or turning off unusused services. Microsoft Windows has a bug in several versions of netstat, so you can't even rely on the vendor's own tools. An infected computer is still infected even if you block some access. Worse, the average user isn't very good at deciding what access to permit or deny. The problem is what do you do when your basic end system is untrustworthy and can not successfully manage its own security?