_Everyone_ (network connected) should have a firewall.
Every network-connected device should have a security layer.
Firewalls provide a nice modular security layer and they
are cheap compared to the devices/networks that they protect.
When did the end2end nature of the Internet suddenly
sprout these mutant bits of extra complexity that reduce
the overall security of the 'net?
The security issue has always been there. You can either
build security into the network or into the endpoints.
Given that the Internet model is to keep complexity
out of the network and in the endpoints, the next
question is for site administrators to ask themselves,
do I manage *MY* network, like the Internet, or do
I manage it like an endpoint? If the answer is to
treat it as an endpoint, then it is quite appropriate
to install a firewall as a gateway between the network
and the Internet.
Consider that many endpoints in today's world now
encapsulate networks within a single physical
device. Routers, switches, cellphones, cars and
any embedded device using I2C. Just as the distinction
between a router and a switch has been blurred by
the advance of technology, so too has the distinction
between an endpoint and a network.