Ok, I'm gonna go against the grain here. I'm not going to dispute any of the points made here, but I am going to say that host firewalls on systems inside your network can be beneficial, if you've taken the other appropriate measures.

I don't buy the comment about firewalls lowering security by making them more complex. When you consider the default build of Windows or a comon *Nix, or even the typical corporate build, you'll see the system is already insecurely complex ipso facto. What do you have to lose by adding something that could potentially close avenues of approach or attack?

As catch and his oompah loompahs are always reminding us, secure systems, designed properly from the ground up, don't need the level of attention for patch management, firewalls, and security applications. However, last time I looked, hardly any of us USE systems of this pedigree.

I've said it before...Information Security is about defense in depth. "Why have host firewalls? I have a perimeter firewall already!" What if the perimeter firewall fails? As nihil said in a different context, if baddies get inside the network, you've already failed. You can make your failure complete by having zero internal stop gaps or defenses, or you can have a fighting chance with internal measures layered upon other measures.

But please, feel free to put all your egg's in one basket. (Wow, centuries old wisdom applied to modern digital security practice! Who'd a thunk it?)