I tend to oscillate between the two positions; at the moment I think that firewalls are still needed with IPSEC. Firewalls cannot be removed if 1) You need to control outbound as well as inbound traffic 2) There are still non IPSEC machines on the network. 3) There are network services on IPSEC machines that do not understand IPSEC security, and which cannot be easily secured through IPSEC aware wrappers. I can't see anyway to cope with the first problem- however the latter two are legacy headaches, which tend to clear up given time. What I do see happening is more and more IPSEC machines moving out into a quasi-DMZ as it becomes much easier to make ordinary machines secure enough to go over-the-top; however, it'll take more than just IPSEC to make this fool-proof enough to move everybody out there. One worry I do have is that if such a machine is misconfigured it could cause more damage as that machine is trusted more because it's using IPSEC. Simon (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n))))