The problem is that you cannot "firewall" the networking protocols. Okena and other products like it make a good attempt at stopping attacks, but they are outrageously expensive for the most part.
I'd argue... many vendors (Okena aka Cisco, BlackICE aka ISS, etc) provide integrated corporation-wide mechanisms for enforcing group firewalling, access and logging/IDS policies on workstations or groups of workstations (and, why not, also servers).
I'm arguing that more thinking and planning needs to go in to the networking part of the equation (not TCP/IP but file sharing/authentication protocols.)
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html