If you are putting together a strategy for "defense in depth" then simultaneously utilizing different products, at different layers is effective.

For instance, you could have the following scenario, using a different vendor and hardware platform for each level:
1. deploy basic packet filtering ACLs on an outside router:
[advantage] fairly effective and user transparent
[disadvantage] common vulnerabilities and patient sniffing will allow bypass

2. deploy stateful content filtering on the firewall in the DMZ
[advantage] traffic and application specific filtering beyond (1)
[disadvantage] performance hit

3. proxy server
[advantage] security by obscurity - gives you another layer to hide behind, can be used in tandem, on the same machine as (2) or (4)

4. deploy a host based firewall on the machine you are trying to protect

What this does is to limit the ability to compromise your system to people who can get through every line of defense. In the above scenario, the purpose of using a different vendor's product at each level, is because all products have some amount of vulnerability.

Remember too, that it's worthwhile to implement IDS specific services, such as Snort, at the network level and perhaps Tripwire at the host level, to use encryption such as PGP or IPSEC.


That's my $0.02 cents worth.