> > And I think you have hit it right on the head...another line of defense. > Everything I've ever read about security (network or otherwise) suggests > that a layered approach increases effectiveness. I certainly don't trust a > firewall appliance as my only security device, so I also do prudent things > like disable ports and applications that are not in use on my network and > enforce authentication and authorization for access to legitimate services.
Unfortunately, it decreases it. If I turn off file sharing on Windows server, I'll increase security but complicate support (in some cases). If I run ids system, I spend time, verifying and approving changes done by maintaineers. And so on. So, it is very important to have a strong FIRST line of defense (inbound firewalls) and last line (host IDS); it allows to bring little more efficiency by keeping convenient (but not very secure) protocols inside your internal network. Else, you end up in full paranoya.