The "Firewall Bible" is the book from William R. Cheswick and Steven M. Bellovin called "Firewalls and Internet Security, Repeling the Wily Hacker". The authors state there the following facts that I can only agree on:
All programs are buggy. (Murphy's law)
Large programs are even buggier than their size would indicate.
A security relevant program has security bugs.
Exposed machines should run as few programs as possible; the ones that are run should be as small as possible !!!
CONCLUSION:
Most hosts cannot meet these requirements: they run too many programs that are too large. Therefore, the only solution is to isolate them behind a firewall.
