Firewall

Hardly any security term is as widespread as the firewall. For decades it has formed the first line of defense between the company network and the internet, and it holds a central place in almost every security concept. At the same time, its role has changed markedly: cloud services, the home office, and mobile devices have dissolved the classic network edge that a central firewall once protected.

For IT decision-makers, a closer look is therefore worthwhile. Those who understand what a firewall achieves and where its limits lie allocate budgets more sensibly and plan security architectures that fit today's way of working.

What is a firewall?

A firewall is a security system that monitors data traffic between networks and permits or blocks it based on defined rules. It usually sits at the transition between the internal network and the internet, but it can also separate internal areas from each other. The name is borrowed from the fire wall in construction, which stops the spread of a fire.

Technically, firewalls exist as dedicated hardware, as software on servers and endpoints, and as a service from the cloud. In companies, several layers usually work together: a central firewall at the internet gateway, host firewalls on individual systems, and increasingly cloud-based control points for mobile users and distributed locations. Routers and operating systems also come with simple firewall functions, but on their own these rarely suffice for enterprise requirements.

The rule set ideally follows the principle of least privilege: what is expressly needed is allowed, everything else stays blocked. The quality and upkeep of these rules decisively determine how effective a firewall actually is.

How it works

Every firewall checks data packets against a rule set. The types differ above all in how deeply they analyze the traffic:

  • Packet filter: The simplest form checks individual packets based on source and destination address, port, and protocol. This works fast and conserves resources but stays blind to relationships between packets.
  • Stateful inspection: This generation tracks the state of every connection. Responses to legitimate internal requests are recognized and let through, unsolicited packets from outside are discarded. Stateful firewalls are considered the minimum standard today.
  • Next-Generation Firewall (NGFW): It additionally analyzes the application layer, that is, it recognizes which application uses a connection, and links rules to user identities. Functions such as intrusion prevention, TLS inspection, and the filtering of malicious content are integrated.
  • Web Application Firewall (WAF): It specifically protects web applications and APIs against attack patterns such as SQL injection or cross-site scripting. A WAF does not replace a network firewall, it complements the protection with the application layer.

Modern architectures increasingly shift these functions into the cloud. Firewall as a Service provides control points where users and applications actually work and bundles them in SASE/SSE platforms with further security services. For decision-makers, what counts here is less the product category than the question of where the traffic is controlled at all.

What a firewall achieves and where its limits lie

  • It reduces the attack surface: Unwanted ports, protocols, and sources stay out, and many automated attacks come to nothing.
  • It enforces policies: Access can be controlled by application, user group, and location and logged in an audit-proof manner.
  • It sees encrypted traffic only with additional effort: Without TLS inspection, a large part of the data stream remains a black box.
  • It offers little protection against stolen credentials: If an attacker logs in with valid credentials, they pass the control like a legitimate user.
  • It often does not control internal traffic at all: Once an attacker has overcome the perimeter, they frequently spread unhindered behind the firewall.
  • It is only as good as its rule set: Rules that have grown over years, are too broad, or are contradictory open gaps unnoticed.

Typical scenarios

In practice, firewalls take on different tasks depending on where they are deployed:

  • Securing the internet gateway: at the main location, an NGFW controls which services are reachable, blocks known malicious sources, and logs anomalies.
  • Home office access: cloud-based firewall functions from a SASE/SSE service check the traffic of mobile employees directly, without a detour through headquarters.
  • Protecting the online shop: a WAF filters attack patterns and automated bots before they reach the application and keeps the shop reachable even under load.
  • Internal separation: firewalls between the production and office network limit the consequences of a compromised workstation and protect sensitive systems from direct access.
  • Rule set audit: after years of growth, a team cleans up hundreds of historically grown rules, removes legacy items, and closes risky allowances.

Firewall, segmentation, and Zero Trust: why the perimeter alone is too little

The classic firewall architecture follows the image of a castle: the wall on the outside, the trust zone on the inside. This model fits reality less and less, because applications run in the cloud and employees work on the move or at home. The network edge is thus one of many control points, and anyone who is once on the inside enjoys far too much trust in traditional networks.

Zero Trust addresses exactly this: no access is considered trustworthy simply because it comes from the internal network. Every connection is checked based on identity, device, and context. Microsegmentation carries this principle into the interior of the network and draws control boundaries down to the level of individual servers and applications. A compromised system thus stays isolated instead of becoming a springboard for the attack on the entire network.

In this architecture, the firewall remains an important building block but loses the role of the sole protective wall. It works in combination with identity verification, segmentation, and continuous monitoring. Service provider access and cloud connections also need the same control as the classic internet gateway.

Protection with KAEMI

KAEMI plans and operates multi-layered security architectures as a managed service. With SASE/SSE we shift firewall functions and access controls into the cloud, with Zero Trust microsegmentation we protect the interior of the network against the spread of attacks. For web applications, Application Security complements the protection with WAF, DDoS defense, and bot management. Via the contact page you can arrange an assessment of your current architecture.

Frequently asked questions about Firewall

Do companies still need their own firewall despite using the cloud?

Yes, though the form shifts. Locations with local infrastructure still need a firewall at the gateway. For mobile employees and cloud applications, cloud-based control points from a SASE/SSE service take on the same tasks. What matters is a consistent rule set across all locations and users rather than a single central appliance.

What distinguishes a Next-Generation Firewall from a classic firewall?

A classic firewall decides based on addresses, ports, and connection states. A Next-Generation Firewall additionally recognizes applications and users, inspects content for malicious code, and comes with functions such as intrusion prevention and TLS inspection. Rules can thus be formulated much more precisely, for example: sales may use the CRM application, file sharing stays blocked for everyone.

Does a firewall protect against ransomware?

Partly. A well-maintained firewall blocks known malicious sources and reduces the attack surface. But if ransomware gets into the network via phishing or stolen credentials, the spread takes place behind the firewall, where it often no longer has any control. Effective protection therefore combines the firewall with microsegmentation, endpoint protection, multi-factor authentication, and tested backups.

How often should the firewall rule set be reviewed?

A complete review at least once a year has proven effective, complemented by event-driven reviews for major changes such as migrations, new applications, or location changes. In the process, unused rules are removed, overly broad allowances are narrowed, and responsibilities are documented. Regulated industries sometimes prescribe shorter cycles. A managed service keeps the rule set continuously up to date.

What is Firewall as a Service (FWaaS)?

Firewall as a Service shifts the firewall functions from local devices into a cloud platform. The traffic of all locations and mobile users runs through central control points where a uniform rule set applies. The advantages are a consistent security policy, less hardware effort, and fast scaling. FWaaS is a core building block of SASE/SSE architectures.

Want to put this into practice in your own network? Talk to KAEMI, aligned to your requirements and with operations from a single source.