Hardly any security term is as widespread as the firewall. For decades it has formed the first line of defense between the company network and the internet, and it holds a central place in almost every security concept. At the same time, its role has changed markedly: cloud services, the home office, and mobile devices have dissolved the classic network edge that a central firewall once protected.
For IT decision-makers, a closer look is therefore worthwhile. Those who understand what a firewall achieves and where its limits lie allocate budgets more sensibly and plan security architectures that fit today's way of working.
What is a firewall?
A firewall is a security system that monitors data traffic between networks and permits or blocks it based on defined rules. It usually sits at the transition between the internal network and the internet, but it can also separate internal areas from each other. The name is borrowed from the fire wall in construction, which stops the spread of a fire.
Technically, firewalls exist as dedicated hardware, as software on servers and endpoints, and as a service from the cloud. In companies, several layers usually work together: a central firewall at the internet gateway, host firewalls on individual systems, and increasingly cloud-based control points for mobile users and distributed locations. Routers and operating systems also come with simple firewall functions, but on their own these rarely suffice for enterprise requirements.
The rule set ideally follows the principle of least privilege: what is expressly needed is allowed, everything else stays blocked. The quality and upkeep of these rules decisively determine how effective a firewall actually is.
How it works
Every firewall checks data packets against a rule set. The types differ above all in how deeply they analyze the traffic:
- Packet filter: The simplest form checks individual packets based on source and destination address, port, and protocol. This works fast and conserves resources but stays blind to relationships between packets.
- Stateful inspection: This generation tracks the state of every connection. Responses to legitimate internal requests are recognized and let through, unsolicited packets from outside are discarded. Stateful firewalls are considered the minimum standard today.
- Next-Generation Firewall (NGFW): It additionally analyzes the application layer, that is, it recognizes which application uses a connection, and links rules to user identities. Functions such as intrusion prevention, TLS inspection, and the filtering of malicious content are integrated.
- Web Application Firewall (WAF): It specifically protects web applications and APIs against attack patterns such as SQL injection or cross-site scripting. A WAF does not replace a network firewall, it complements the protection with the application layer.
Modern architectures increasingly shift these functions into the cloud. Firewall as a Service provides control points where users and applications actually work and bundles them in SASE/SSE platforms with further security services. For decision-makers, what counts here is less the product category than the question of where the traffic is controlled at all.
What a firewall achieves and where its limits lie
- It reduces the attack surface: Unwanted ports, protocols, and sources stay out, and many automated attacks come to nothing.
- It enforces policies: Access can be controlled by application, user group, and location and logged in an audit-proof manner.
- It sees encrypted traffic only with additional effort: Without TLS inspection, a large part of the data stream remains a black box.
- It offers little protection against stolen credentials: If an attacker logs in with valid credentials, they pass the control like a legitimate user.
- It often does not control internal traffic at all: Once an attacker has overcome the perimeter, they frequently spread unhindered behind the firewall.
- It is only as good as its rule set: Rules that have grown over years, are too broad, or are contradictory open gaps unnoticed.
Typical scenarios
In practice, firewalls take on different tasks depending on where they are deployed:
- Securing the internet gateway: at the main location, an NGFW controls which services are reachable, blocks known malicious sources, and logs anomalies.
- Home office access: cloud-based firewall functions from a SASE/SSE service check the traffic of mobile employees directly, without a detour through headquarters.
- Protecting the online shop: a WAF filters attack patterns and automated bots before they reach the application and keeps the shop reachable even under load.
- Internal separation: firewalls between the production and office network limit the consequences of a compromised workstation and protect sensitive systems from direct access.
- Rule set audit: after years of growth, a team cleans up hundreds of historically grown rules, removes legacy items, and closes risky allowances.
Firewall, segmentation, and Zero Trust: why the perimeter alone is too little
The classic firewall architecture follows the image of a castle: the wall on the outside, the trust zone on the inside. This model fits reality less and less, because applications run in the cloud and employees work on the move or at home. The network edge is thus one of many control points, and anyone who is once on the inside enjoys far too much trust in traditional networks.
Zero Trust addresses exactly this: no access is considered trustworthy simply because it comes from the internal network. Every connection is checked based on identity, device, and context. Microsegmentation carries this principle into the interior of the network and draws control boundaries down to the level of individual servers and applications. A compromised system thus stays isolated instead of becoming a springboard for the attack on the entire network.
In this architecture, the firewall remains an important building block but loses the role of the sole protective wall. It works in combination with identity verification, segmentation, and continuous monitoring. Service provider access and cloud connections also need the same control as the classic internet gateway.
Protection with KAEMI
KAEMI plans and operates multi-layered security architectures as a managed service. With SASE/SSE we shift firewall functions and access controls into the cloud, with Zero Trust microsegmentation we protect the interior of the network against the spread of attacks. For web applications, Application Security complements the protection with WAF, DDoS defense, and bot management. Via the contact page you can arrange an assessment of your current architecture.