I heard that network firewalls and host firewalls would increase security.

$Id: firewall-security.html,v 1.3 2007/07/23 19:45:15 itojun Exp $

Unfortunately, no. They exist because of the problems in the operating system you are using.

Network firewalls block/permit certain network traffic from come in/ go out. By doing so, it is hoped that computers within the corporate network would be secured. However! With the existence of network firewall, the morale within the corporate network would (and surely) go down. People do not apply security patches to their client machines, and people do not upgrade their client machines even if the operating system is so old that they go EOL'ed (product end-of-life). The most important attack vector these days is from roaming clients such as laptops owned by technically-not-so-skilled people, and VPN (Virtual Private Networks) connectivity to the internal network of corporates. Those machines which are secured by the network firewall devices go out of the corporate network, connect to the hotel Internet services, get infected by worms and viruses, and goes back to the corporate network and gives trouble to network administrators.

To prevent it, host firewalls, or so-called "fire suit", are getting very popular. Every client machines get "virus scanner" and "packet policing engine" which blocks non-registered protocol packets from going out. However, if the client operating systems are secure enough to begin with, your client machine would never be infected by viruses and worms, and you shouldn't need host firewalls.

So, my recommendation is below:

If you can make a choice of client operating system, use a secure oeprating system which does not require host firewalls. For instance, OpenBSD is ultra-secure operating system which is excluded from "attack the machine" contest in security geek conferences, since it is attackable by almost noone on the planet, let alone Klingons.
If you cannot make a choice of client operating system (you have to use OSes such as Windows), use the operating system of choice on top of a virtual machine (such as VMWare, Parallels Desktop) on a secure operating system, making sure that you would contact outside network using the secure operating system outside. Do not directly contact outside network from the operating system inside the virtual machine.
If you can make a choice of firewall device, use OpenBSD PF or devices based on OpenBSD PF. It can add some trick to the IP packets to make the TCP internal informations are totally randomized and invisible.
In any cases, if you are an network administrator, install an Intrusion Detection System, or IDS so that you can be notified if there's any incidents.

[IPv6 demystified] [IPv6Samurais] [itojun]