Somebody sold you a firewall at some point. Maybe it came bundled with your internet service, maybe an IT vendor installed a box with blinking lights in your network closet, and ever since then the assumption has been "we have a firewall, so we're protected." We hear that sentence a lot, usually right before we find something the firewall never had a chance of stopping. So let's talk about what that box actually does, and where its job ends.
The basic job: deciding what traffic gets through
At its core, a firewall is a bouncer for network traffic. Every connection on a network uses a port, which is just a numbered channel. Web traffic uses ports 80 and 443. Email servers listen on 25. Remote desktop uses 3389. A firewall looks at traffic trying to come in or go out and checks it against a list of rules: allow this port from this address, block everything else.
The single most valuable thing a firewall does is refuse inbound connections you never asked for. Out of the box, a decent firewall blocks all unsolicited inbound traffic. That alone stops the constant background noise of the internet: automated scanners probing every public IP address on earth, all day, every day, looking for an open port to poke at. If you've never looked at a firewall log, the volume of that scanning is genuinely surprising.
Modern firewalls do more than ports
The firewalls we install for businesses today (units from Fortinet, SonicWall, Ubiquiti, and similar) are usually called next-generation firewalls, and they inspect traffic more deeply than just checking port numbers. Depending on the model and licensing, that can include:
- Application awareness. Recognizing that traffic on port 443 is actually Dropbox, or BitTorrent, and applying rules by application instead of just port.
- Intrusion prevention. Matching traffic against known attack signatures and dropping it.
- Content filtering. Blocking categories of websites, or known-malicious domains.
- Geo-blocking. Refusing connections from countries you do no business with. Crude, but it cuts noise dramatically.
Those features often require an active subscription. We regularly find firewalls whose security licensing lapsed two years ago. The box still routes traffic fine, so nobody noticed, but the inspection features quietly stopped updating. If you own a business-grade firewall, checking that the subscription is current is a five-minute task worth doing this week.
What a firewall cannot do
Here is the part vendors underplay. Most of the ways businesses actually get compromised today walk right past the firewall, because they arrive over connections your own people initiated.
- Phishing. An employee clicks a link in an email and types their password into a fake Microsoft login page. That's outbound web traffic on port 443, which the firewall allows because it has to. No firewall rule stops it.
- Stolen passwords. If someone logs into your Microsoft 365 or Google Workspace account with a valid password from anywhere in the world, your office firewall is not even in the conversation. Those services live in the cloud, outside your network entirely.
- Malicious attachments. Encrypted email and HTTPS mean the firewall often can't see the payload at all.
- Anything on a laptop that leaves the building. The firewall protects the network it sits on. Your salesperson working from a coffee shop is on someone else's network.
- Threats already inside. Once malware is running on a machine inside your network, the firewall's inbound rules are irrelevant. Outbound rules can help contain it, but most small-business firewalls allow nearly all outbound traffic by default.
That last point deserves emphasis. The default posture of most installs is "block inbound, allow all outbound." Tightening outbound rules (blocking remote desktop out, restricting server traffic to only what those servers need) is real work, and it's where a firewall goes from a checkbox to an actual control.
Necessary, not sufficient
None of this means firewalls don't matter. They do. An unfirewalled network with an exposed remote desktop port will be compromised, not might be. But a firewall is one layer, and it covers a shrinking share of the risk. The layers that cover the rest look like this: multi-factor authentication on email and cloud accounts, endpoint protection on every computer, patched software, backups that actually restore, and people who know what a phishing email looks like.
How to know yours is doing its job
A few concrete checks, whether you do them or you ask your IT provider for the answers in writing:
- Is the firmware current? Firewalls themselves get exploited, and unpatched firewall vulnerabilities have driven several major incident waves in the past few years.
- Are the security subscriptions active?
- Are there any inbound port-forwarding rules? Each one is a hole punched on purpose. Every rule should have a name attached and a reason it still exists. Port 3389 forwarded to anything is an emergency, fix it today.
- Has the admin password been changed from the default, and is the management interface reachable only from inside the network?
- Is anyone actually reviewing the logs, ever?
If your current provider can't answer those questions quickly, that tells you something too. We do firewall reviews as part of nearly every network assessment, because the box with the blinking lights is usually fine. It's the rules and the licensing nobody has looked at since 2021 that need the attention.
Stuck on this, or want it done for you? That's the job.
Email us →