What is a Firewall? Complete Guide for Executives

What a Firewall Does: The Technical Foundation

A firewall is a network security device — hardware, software, or cloud-based — that monitors and controls incoming and outgoing network traffic based on a defined set of security rules. Every packet of data moving in or out of your network passes through the firewall. The firewall evaluates each packet against its ruleset and either permits or denies it.

The earliest firewalls operated at the packet level — examining source IP address, destination IP address, and port number. A rule might say: allow traffic from the internet to reach the web server on port 443, deny everything else reaching the internal network. This is called packet filtering, and while it still exists as a component of modern firewalls, it represents only the most basic layer of what current enterprise firewalls do.

Stateful Inspection: The Standard Baseline

Modern firewalls use stateful inspection — they track the state of network connections rather than evaluating each packet in isolation. A stateful firewall knows that a packet arriving from an external IP address is part of a connection that was initiated from inside the network, and therefore permits it without requiring an explicit allow rule for return traffic. This dramatically simplifies ruleset management and closes the attack surface that stateless firewalls leave open to crafted packets that mimic legitimate return traffic.

Next-Generation Firewalls: Application Awareness

Next-generation firewalls (NGFWs) — the current enterprise standard — operate at the application layer. Rather than simply examining IP addresses and ports, an NGFW can identify the specific application generating the traffic, the user generating it, and the content being transmitted. An NGFW can enforce a rule that says: allow Salesforce traffic from authenticated users on corporate devices, block file uploads to personal Dropbox regardless of port, alert on any connection to known malicious infrastructure. This application-layer visibility closes attack paths that packet filtering and stateful inspection cannot address, because attackers long ago learned to route malicious traffic over port 443 — the same port as legitimate HTTPS web traffic.

What Firewalls Cannot Protect Against

The most dangerous misconception in mid-market security is that a firewall provides comprehensive network protection. It does not. Understanding what a firewall explicitly does not protect against is as important as understanding what it does.

Encrypted Traffic Blind Spots

The majority of internet traffic — including the majority of malicious traffic — is encrypted with TLS. A traditional firewall cannot inspect the contents of encrypted traffic; it can only see that an encrypted connection exists between an internal IP and an external IP. This means malware communicating with command-and-control infrastructure over HTTPS, data being exfiltrated via encrypted channels, and adversary-in-the-middle attacks conducted over encrypted sessions are all invisible to a firewall without SSL/TLS inspection enabled. SSL inspection requires decrypting, inspecting, and re-encrypting traffic — a capability that exists in most NGFWs but that introduces performance overhead and certificate management complexity that causes many organizations to disable or scope it narrowly.

Insider Threats and Lateral Movement

A firewall controls traffic at the network perimeter — the boundary between your internal network and external networks. Once an attacker is inside your network, either through a compromised credential, a phishing attack, or physical access, the perimeter firewall provides no protection against their lateral movement. The attacker is now on the trusted side of the firewall. This is why network segmentation and internal firewalls — creating boundaries between different parts of the internal network — are essential complements to perimeter firewall deployment.

Application-Layer Attacks

SQL injection, cross-site scripting, and other application-layer attacks operate within legitimate HTTP/HTTPS traffic. A perimeter firewall sees valid web traffic reaching a web application and permits it. The malicious payload is inside the legitimate request. Protecting against application-layer attacks requires a Web Application Firewall (WAF) — a specialized control that understands web application protocols and can detect malicious patterns within permitted traffic.

What PE Operating Partners Must Know About Firewall Deployments

The Configuration Problem

The most common firewall finding in Cloudskope's M&A due diligence engagements is not the absence of a firewall — it is a firewall with a ruleset that has accumulated years of exceptions, overrides, and undocumented changes that collectively create significant exposure. Firewall rules are added when business needs arise and are almost never removed when those needs change. A portco that connected to an acquired company five years ago may still have an allow rule permitting that legacy network unrestricted access to the internal environment. A development team that needed temporary external access to a test server may have an allow rule that was never revoked. Over time, the firewall becomes a Swiss cheese perimeter with documented rules that suggest tight control and undocumented exceptions that create real exposure.

The Right Questions

When evaluating firewall posture in a portco environment, the questions that matter are: When was the ruleset last reviewed and cleaned? Is there a formal change management process for firewall rule additions? Are east-west controls — internal network segmentation — in place, or does the firewall only control north-south perimeter traffic? Is SSL inspection enabled, and if not, what compensating controls address encrypted threat traffic? Are firewall logs being collected, stored, and monitored by a SIEM or MDR service?

Cloud Environments

Organizations that have migrated workloads to AWS, Azure, or GCP operate in environments where traditional perimeter firewall concepts do not directly apply. Cloud environments use security groups, network access control lists, and cloud-native firewall services that control traffic between cloud resources. In many mid-market cloud deployments, these controls are configured with default-permissive settings that effectively create an open internal network within the cloud environment. A comprehensive firewall assessment must include cloud environment network controls, not only on-premises hardware.

Real-World Example: The Target Breach — A Firewall That Let the Attacker Walk Out

The 2013 Target breach, which exposed 40 million credit card numbers and 70 million customer records, is the textbook example of perimeter firewall success combined with internal control failure. Target's perimeter firewall correctly restricted external access to internal systems. The attackers, who gained initial access through a third-party HVAC vendor's credentials, were on the trusted internal network from the moment they authenticated. The perimeter firewall never saw their lateral movement from the vendor access environment to the point-of-sale network, because that movement occurred entirely within what the firewall treated as trusted internal traffic. The breach was not a firewall failure in the traditional sense — it was a network segmentation failure that the firewall was never designed to prevent.