Anybody who has worked in a large organization, or heck, any company with more than 30-40 people in the systems (DB/Servers/Network/Syseng) infrastructure group also knows that firewalls have the advantage of "Defense in Depth." If a sysadmin runs a quick pfctl -F a while troubleshooting a problem, and neglects to restore the ruleset, the firewall team has them covered. And the firewall team will never, ever run pfctl -F a. They likely will require multiple-day advance notice to even add a new, very specific rule.
Also - having policy for the network guaranteed at a single chokepoint (Usually a ruleset that generates firewall configuration, that is then pushed onto hundreds of firewalls) is a big win. One spot to audit.
With all that said - if you are a tiny 2-3 person shop, you can probably get by without Load Balancers, Firewalls, or heck, most infrastructure out there. Just throw it all on AWS/slicehost/linode and harden your hosts to do the right thing.
But, when you get big, and have hundreds (thousands?) of hosts, and are tempted to run them yourself, you will have firewalls, and loadbalancers. Many of them, in fact.
Also - having policy for the network guaranteed at a single chokepoint (Usually a ruleset that generates firewall configuration, that is then pushed onto hundreds of firewalls) is a big win. One spot to audit.
With all that said - if you are a tiny 2-3 person shop, you can probably get by without Load Balancers, Firewalls, or heck, most infrastructure out there. Just throw it all on AWS/slicehost/linode and harden your hosts to do the right thing.
But, when you get big, and have hundreds (thousands?) of hosts, and are tempted to run them yourself, you will have firewalls, and loadbalancers. Many of them, in fact.
Check out Margrave (http://www.cs.brown.edu/~sk/Publications/Papers/Published/nb... ) for some of the interesting stuff around formalizing policy inspection.