Application level firewalls are bad... always, always, always bad.

Myth 1:
They effectively protect the system from external attacks in case other systems on the network are compromised.
Reality 1:
Application level firewalls work by determining what applications/services can connect and be connected to. In an internal, where there is considerable sharing of data (Active Directory, file shares, etc) the same applications and services which share this data will e the obvious attack vectors. The application firewall will treat these communications as normal

Myth 2:
They effectively protect the system from external attacks in case the primary network firewall fails.
Reality 2:
In the event of a primary firewall failure, the attacker can use the standard communication paths to and from the firewall as attack vectors into the "protected" system. Additionally, the attacker may use more passive techniques of data diddling within the primary firewall to leverage greater access, more information, etc.

Myth 3:
They effectively deal with spyware, adware, viruses, trojan horses, etc ("malware").
Reality 3:
If the local user has sufficient rights to alter the system's configuration (which they must to install the malware in the first place) then any malware must be assumed to have the same rights. Consequently complete/selective disabling of the firewall is a trivial manner.

Considering these myths... you should see that application level firewalls are NEVER a good solution. Never in any environment, be it Zurich Financial Services' corporate HQ or Grandma's den.

If you have no services to offer... skip the firewall altogether. If you do have services, getting a nice firewall appliance might be a good investment or just the filtering built in with your OS. odds are you don't need much more than the simple ability to block a few ports from outsiders.

An application firewall will give you a false sense of security, be a waste of time, effort, and anything else you invest in it. Multiple application firewalls in a private network.. is just a joke, and a bad joke at that. This is a simple matter of problem definition and verification... the fact of the matter is that application firewalls don't do the job they are designed to do.

cheers,

catch

psst. Woohoo, only three more posts... maybe I should end with a tutorial... what do you think:

"How to: Argue intelligently against Linux & Windows"
or
"Understanding OASIS"