Software firewalls defeat their own purpose. A firewall is meant to be a seperate entity designed to keep bad traffic from getting to the internal network or machine. If your *software* firewall is on the machine it is protecting then the attack is already at the front door.

Not to mention it consumes precious resources on the computer/server it's *trying* to protect. Any good implimentation of a firewall will place it between the public interface and the local network. With NAT/Proxy and or a good IDS on the backend. The multi-layered approach is always best practice.

Next make sure you have a SOLID user awarness program in place before anything else. All it takes is 1 machine with netcat on it and your whole firewall scheme is hosed.