There is a third option.. Managed Security.. where an enterprise secures your perimeter as a managed services. They normally offer a range of perimeter security options ranging from Linux/FreeBSD etc all the way to Cisco/Checkpoint boxes and licenses. The only thing is that you dont pay it off as a Capex but as a managed service based on Opex, fixed monthly fee. The vendor has a tunnel to the devise to manage it and update all that needs to be updated. The users have no direct control over the device but they have direct access to the logs and can change the policy via a controlled change management process with the vendor. The vendor has the duty of making sure that the client organization is protected from emerging threats proactively .. so they have to keep their ears and eyes open 24/7 http://www.iss.net/ http://www.clearstreamtechnology.co.uk/services-technologies/internet_securi...