Inside Router
Last line of defense
Between main firewall and inside net
Dedicated router or OpenBSD box
No remote logins
No "pc anywhere" access
Console access only
If firewall compromised, this is the only protection against the firewall accessing all inside traffic