I like Russ' analogy, especially since I work in the insurance
industry (http://www.state.il.us/ins). But I'd like to improve on
his analogy and perhaps make his point even stronger.
The discussion I have seen isn't so much homeowner's insurance vs
flood insurance, it's talking about the need to learn underwriting
and claims adjusting and actuarial science before you even decide what
kind of insurance you want to buy. It's true -- especially in the
insurance industry -- an educated consumer is a potentially better
protected consumer. But that doesn't mean you should have to know
what a life-expectancy table is and what it's used for to be
adequately protected. You need to know what you want to protect,
and how to figure out what products will cover those risks.
The same should be true for firewalls. I should not need to know
all the the little details of the operating system and protocols, and
each and every application I am running in order to adequately protect
my site. I need to develop a sound security policy and find what
applications will satisfy that that requirement. And, as Russ
pointed out, this discussion has nothing to do with the operating
system and everything to do with the entire system that we generically
call a firewall.