Duane put’s it quite nicely in his post – there’s definately far more to security that just a single technical solution. Let’s face it, many firewalls merely route traffic from one interface to another having decided whether to allow the traffic based on information that can easily be spoofed – an application layer firewall is a far better solution as it actually inspects the content of each packet rather than just the headers. Microsoft ISA Server is an excellent application layer firewall – but of course you’d expect me to say that being a Microsoft employee. Whatever firewall you have I suggest you find out what / if any real inspection it’s performing.
Say you want to make Outlook Web Access available to users outside your network – simply exposing the web server to traffic based on port 80 (HTTP) or 443 (HTTPS = HTTP over SSL) is nonesense from a security perspective. A decent application layer firewall will authenticate the incoming request and assuming it’s valid will inspect the payload to ensure that the traffic comprises valid HTTP verbs of the type used by OWA.
Even if you have a decent firewall solution it’s not going to protect you from users who bring machines into your building which are infected with worms and other malware.
Security awareness for users is at least as important as any technical measure – as long as they leave machines unattended (in public places – like most offices) then all the cryptography and smart cards and whatever else will be useless.