Yes, I remember the discussion, and I think Dave Winer is ‘not getting it.’ As Ken MacLeod says (and I echoed in the conversation):
“As a reminder, firewalls are only a perimeter tool, site security is a combination of perimeter, network, external connections, host, application, and user education issues.”
This is called, in the FIREWALL FAW calls this “Defense in Depth” which is what I think is the best. Do not rely on every machine being secure cause users are stupid and will let crap in that you just can’t help. On the other hand, perimeter defense will similarly, as Winer points out, let viruses and other nasties in.
As in most things, a heterogenous defense is best.