As close to the data as possible!
Yesterday's post from Erik reminded me about a paradigm, that came up when I implemented the SSH Tectia Suite. It's the question where to do security properly. The answer is as close to the data as possible.
The problem with today's corporate networks is, that the "enemy" is already inside. There are so many people (internal/external) connecting to a company's network, which makes firewalls almost irrelevant. This effect is called deperimeterization.
Firewalls have a false reputation, that they protect everything. But because there are so many people who have access to both sides of firewalls, this doesn't make it very secure.
What could be a new approach? The Jericho Forum (a security focused group) says: "Individual Hosts should be able to defend themselves".
I certainly agree with that. Most operating systems contain integrated firewalls waiting for activation. Many applications provide extended authentication features and encryption (e.g. TLS/SSL). Not to forget the SSH protocol for managing the operating system instead of telnet.
While in theory you could take all firewalls away, and rely on host security, in practice you wouldn't do that of course. As an analogy to real life, you would certainly lock the gate to your stately home...