Really? In most deployments the firewall is only outward facing. Local isolation is possible but it breaks a ton of stuff and basically renders the LAN useless.
My own opinion is: Secure. The. Endpoint.
If your devices, OSes, etc. are not secure then your systems are not secure. A firewall will not save an insecure system, and firewalls and netsec in general gets far too much attention. That attention should be focused on OS-level and application level security.
Exactly, endpoints should not be listening on the network for instance (its not just about outbound connectivity).
Company laptops often have RDP or SSH open - and newly added software might expose a remote endpoint in future (or a 0 day, like EternalBlue).
And here it comes: then an employee works from home or a coffeeshop and anyone there can attack and try to login! Locking down these things is critical to securing the endpoint.
"Endpoint security" in practice translates to full disk encryption (good) but seemingly also corporate-mandated spyware that logs and reports process and network
metadata, even traffic and keystrokes (bad).
Security isn't the only thing in the optimization equation; endpoint security is only useful — and humane — to a point.
