Intel's zero-day problem

Hence a component of my remark:

> as many security layers as you reasonably can,

Keywords being *reasonably* and *layers*.

If you can't trust your network gateway, you can't trust your network gateway. If you find it a reasonable precaution, you might further segment your network such that the device you don't trust has an additional firewalled router between your clients and the untrusted device.

I do exactly this in one of my networks; I have to deal with routers on my premises owned and managed by AT&T and Comcast for upstream ISPs. Any traffic coming in on those first passes through a network segment for unfiltered traffic before they reach a router I own and control. And even on the *filtered* side of that router, there are routing nodes with stateful firewalls that segment, e.g. office activity traffic from server activity, server activity from various device management interfaces, etc. In the eventuality of a laptop or desktop infection, I don't need the infected code having easy access to nodes that the laptop or desktop shouldn't already have access to.

It's honestly not a difficult architecture to maintain, though it'd be overkill for home users.