As much as I hate to get tangled up in these debates, I believe I may have a new personal favorite for the role. My nominee? The desktop firewall.
Originally designed for home users with high-bandwidth, "always-on" connections who could not afford a dedicated stand-alone firewall, my nominee is a user-friendly, inexpensive piece of software that resides in individual desktop machines. Much like the traditional perimeter firewall, it monitors network traffic arriving at or leaving the machine in question, blocking any that doesn't meet a predefined rule set.
Savvy business users quickly seized on this consumer app as a useful tool for mobile users (and to a lesser extent, telecommuters) who operate outside the corporate network's defenses. The real strengths of host-based firewalls don't become apparent, though, until they are deployed throughout the enterprise.
Perhaps the most obvious benefit host-based firewalls bring to the table is defensive depth. No longer are barriers limited to the network perimeter; now each machine has its own individual protection against attack. Much like a burglar breaking into a house in which every door is padlocked, the network intruder faces a difficult, frustrating and time-consuming target. Even more important, insider attackers—who previously faced little or no resistance—suddenly have a whole new set of problems.
Placing defenses on the host carries less obvious advantages, as well. Its close interaction with the host operating system allows the desktop firewall to look at the interaction between network traffic and local software. That gives administrators a great deal of power to tighten their security by limiting network access to specific apps. Because they can act as network traffic's "last stop" before the application, desktop firewalls also can examine VPN traffic after it has been decrypted.
I do have two brief caveats. First, vendors are only just beginning to package desktop firewalls for the enterprise, and as a result, central administration tools are still somewhat limited. PGP is particularly good in that regard, but all of the products I've seen have a ways to go.
More importantly, it is absolutely critical to remember that these products are a supplement to—and not a replacement for—your perimeter firewalls. To misquote Churchill, the idea is to "fight at the firewall, fight at the router and switch, fight at the desktop."