Firewalls thus lost ground from both the top and bottom of the equation at once: While offense was gaining in power, the technology found itself saddled with limitations on how fast it could think. No wonder it is less effective than we had hoped.

Today firewall development is being pushed in two directions. The first retains the concept of a central choke point?the security desk at the entrance?and uses hardware and other performance enhancements to interrogate packets in more detail. Melville, N.Y.-based Spearhead Technologies’ AirGAP, for instance, uses a proprietary operating system to shuttle data into the network. This is like the security desk refusing to let messengers into the building and instead using its own uniformed personnel to deliver packages.

The second approach (one espoused by Rochester, N.H.-based Enterasys Networks, among others) is to install firewalls on every part of the system: every router, switch, virtual private network connection and even every client. Everybody gets a security desk. The virtue of such ubiquity is that each "guard" gets to know its own corner of the world well, which means it can recognize inappropriate activities more quickly. "The end system can see when a program is attempting to write to the desktop registry, and it can see, or ask, whether an upgrade is going on," says Brent Chapman, president of Great Circle Associates in Mountain View, Calif. "It is in a much better position to know what should be going on."

How much relief these programs will bring depends on whether information systems continue to change as rapidly as they have in the past. If they do, offense will probably continue to race ahead. If the pace of change slows, allowing experience to accumulate, defense will get smarter and more effective. This may yet turn out to be one of the unanticipated benefits of the dotcom bust.