One of the most important things to recognize about maintaining a firewall is that the older it is, the more maintenance it's going to require. At some point, you simply need to say "enough," and start over with a new firewall. At the rate the firewall arena is changing today, we generally tell people that if they build the best firewall they can today, they should probably plan on replacing it in 18 to 36 months. Lots of things that affect firewalls are changing very fast, including the attacks they're subjected to, the tools for building them, and the services their users demand.
Here are a few examples of how quickly things can change on the Internet:
In 1993, password sniffing was not a major problem. Today, just two years later, it's a major problem.
In 1993, there were only a handful of tools available for building firewalls, mostly in the form of limited packet filtering implementations in routers. Today there are dozens of tools of many different types (both commercial and noncommercial) to choose from.
In 1993, the World Wide Web was a nonissue, and few Internet users had even heard of it. Today, it is the major factor behind the current growth of the Internet.
In another two years, we're going to be facing a whole new series of attacks, have a whole new set of tools at our disposal, and be dealing with a whole new set of services demanded by our users. Nobody knows for sure what these attacks, tools, and services will be, but you can safely predict that the Internet will be significantly different from what it is today. Of course, that's true for just about any two-year period in the history of the Internet that you care to examine. The one constant about the Internet is constant change - constant growth, a constant stream of new services and new tools, and so on.