Is a firewall an adequate security measure for current IT environments? Or do I need to implement additional tools?

Don't forget that your worst problems may be behind your firewall. Most information leaks come from inside, usually disgruntled employees.

"A castle needs more than a moat for protection, a data center needs more than a firewall."

Not only do you have to protect your network, but you also have to protect your internal resources and data.

Arthur

http://www.castletips.blogspot.com

A firewall is a good piece of the big picture! Conceptually speaking security is divided into ten domains, a firewall falls under one of these domains, namely, the Network and Telecommunications domain. Just to make things easier, imagine you have the best firewall on the market with the latest patches and updates, but you don't have a proper access control mechanism or physical security controls in place, so that any outsider can simply just walk into your server room and pick the whole firewall out of your network!

All pieces must work together, generally speaking, you will need a firewall along with an IPS solution in addition to an antivirus and anti malware solution, most vendors today supply an all-in-one-box solution. It really depends on how big/sophisticated your network is, you may consider seperating these mechanisms into different entities, and if your business is governed with an SLA you might even think of duplicating all entities to add redundancy and a highly available touch should any entity experience a failure.

Another big question, would be if your data needs to be encrypted, you can utilize your firewall to provide such service as well, with different "strenghts" of encryption algorithms depending on the sensitivity of your data.

I hope this is usefull, let me know if you may need any more information.

I agree with the group. You need more than just a single layer of defense. I'd advise home users to have a NAT router, software firewall, anti-virus software, and anti-spam software at a minimum. If you are running a business (even a small one) the stakes are higher than if you are just web browsing.

Minimum levels of protection depend on the business. You want to evaluate what your assets are worth (not just the physical assets, the information assets too.)
Once you know what your assets are worth you can determine what you can spend on protecting those assets. What is a customer's information worth to you? your competitors? criminals? What trade secrets do you have? What are they worth?...These are the thoughts that need to go into the valuation phase.

When you have a rough budget. You need to go from there and decide where to spend it. A lot of it is probably going to go to staff salaries, some of it will go into staff training, some will go into technology. Technologies that are common in this are:
Firewalls
IDS/IPS
Antispam
Antivirus
Unified Threat Management (UTM) - combines the above into one box... this is a good kind of firewall to have, but I'd still put more protection on the PCs behind it... not all attacks come through the firewall to get onto the network... some are already there.
Software firewalls - Windows firewall is a good start
Anti-Spyware
Patch Management - WSUS is a good starting point
Hardening your systems - shutting off features that you will not need
Host-based IDS - OSSEC is a good staring point
Log management & analysis
Network Segmentation (setting up different portions of the network so that they have to pass through a router or, better yet, a firewall to get to other parts)
File encryption - if you store confidential info
Mail encryption - if you relay confidential info by e-mail
Whole Disk encryption - best used for laptops in case they are stolen
...
there are many more things to look at, but that's a good start.