So first you say that you don't agree with the idea of increased complexity reducing security... and then in your very next statement you say the systems are already "insecurely complex". You sound confused.
So first you take a direct statement, twist it to your own means, and act haughty. You sound like an arrogant snob. I don't agree with the statement that the firewall itself decreases security by increasing complexity. The system is already insecure, how can a properly configured firewall further decrease security in that situation? Please explain this single point before sharing more passive-aggressive superciliousness.

How does an internal firewall close avenues of attack? If you have a filter segregating that network segment what points of attack are you worried about?
Does every single network you've ever participated in have this segregation of segments by service/port/protocol? Lucky you. We should all be so lucky. I'd actually buy some lottery tickets, maybe.

Attacks from the outside will be dealt with by the external filter.
Attacks from host based malware can be prevented by disallowing in installation/execution of unsigned executables.
Yes, well, not every organization can function in this fashion because they don't have the benefit of your divine omnipresence on staff.

Seriously, someone in the organization needs the ability to install software, somewhere. Most companies don't fund for and can't afford a complete and definitive test environment, the staff to maintain it, and the stakeholder buyin to support the whole affair. Welcome to reality...we've been wondering when you'd drop by.

Internal worms will use the same channels as internal trusted communications so a filter again will not work unless it is integrated with malware detection which needs to be maintained. So where are these attack avenues?
I believe we've already told you. Untrusted systems can be plugged in; systems can be rebooted with bootdisc's. Crafty users can break policy and do things they aren't supposed to do.

catch I really didn't want to make this a personal attack, but to be brutally honest, your position and point of view can be so infuriatingly narrow-minded that I can't help but be a *****. You always approach everything as if it is so infuriatingly simple, and we're all a bunch of idiots. The real world is comprised of thousands of companies, millions (or perhaps billions) of home users, college campuses with students, public libraries...the interconnectedness of our world, and the technology that allows it to function, is not built in this trusted secure model you revere.

If all these trusted models and proven secure systems solve the problems we talk about, why do nations pass laws like Sarbanes-Oxley? Why do we have standards and regulations and policies that dictate, beyond process and practice, accepted behavior or rules for such? We have them because your trusted systems don't solve all security problems via technology. The human factor will nearly ALWAYS find a way to defeat, bypass, or overcome the technical barrier.

I'm guessing here, but it sounds like you have a fair amount of exeperience in the government or defense systems security/technology field. Perhaps I'm mistaken, but I am associated with a large number of people in this arena, and I know their jargon and slant on things. And I see many similar veins in some of their arguments as with yours.

In the end, most of us work in this real world I speak of. We don't have the luxury of working in these rigourously segmented and compartmentalized networks, where the C-level execs have signed off on users being completely restricted from installing anything except signed code, and we all use digital certificates for any and all authenticated sessions. We work in flawed environments. On flawed systems. With flawed policies. Yet we manage to get the job done, for the most part. It is imperfect, and I would like to see your better way of doing things become the standard; but that won't happen across the board...not anytime soon.

g3neration if you are unconcerned about the possibility of an internal breach...or at least you are not abnormally concerned...then don't bother with the host firewalls. But if you want to do the extra step that could very well help you out, I'd suggest you look into local measures to protect the systems. If you are fortunate enough to be dealing with a locked down and rigourously regimented set of systems as our friend catch describes, don't waste the cycles...if anything DOES get through, your already so hosed it won't matter.

And if even one of these systems is mobile and could be placed on another network...particularly one which you don't have control over...absolutely take every single precaution necessary. Smug righteousness won't save your ass when a zero-day get's through.

Cheers.