The firewall will shield you from the external threat as long as its configured correctly but Id say you still need to always consider an internal threat.

Employees bringing in laptops that have been infected are only one aspect to consider. If you do not patch your internal system then there are several exploits freely available so that any user may gain root on any other unpatched system on the subnet. Also in the case of no virus protection/or misconfigured virus protection, could lead to an employee receving a worm via email or some other way which could in turn corrupt the whole subnet.