The firewall is the foundation of most network security architectures. It sits at the perimeter, filters traffic, and blocks access to ports and services that should not be exposed. For decades, it was the primary answer to the question of how you keep attackers out. That model is no longer adequate on its own and has not been for some time.
This is not a criticism of firewalls. A correctly configured firewall performs an important function. The problem is the assumption that a firewall means you are protected. Modern attack methods routinely operate through channels that firewalls permit: HTTP, HTTPS, email, and encrypted traffic that the firewall cannot inspect without additional controls.
How Attackers Get Through
Phishing email delivers a payload to an internal host. The user clicks. The malware beacons out over HTTPS traffic the firewall permits by default. The attacker now has a foothold inside the network with no inbound connection required. The firewall never saw an attack because nothing tried to push through it.
Web application vulnerabilities give attackers a different path. A public-facing application running on port 443 allowed through any reasonable firewall contains an SQL injection flaw. The attacker queries the database through the application. All traffic looks like normal web requests.
Compromised credentials are another vector the firewall cannot address. A valid username and password entered at a legitimate login page produces legitimate traffic. From the firewall’s perspective, nothing suspicious is happening.
The Attack Surface Your Firewall Cannot See
External network penetration testing examines exactly what is reachable from the outside which services are exposed, which protocols are in use, and which vulnerabilities are accessible without authentication. The results frequently surprise organisations that have invested heavily in firewall infrastructure.
Cloud services are particularly prone to firewall blind spots. Resources deployed in AWS, Azure, or Google Cloud operate outside the traditional perimeter. A misconfigured storage bucket or an exposed management API is accessible from the internet regardless of what your on-premises firewall rules say.
Remote work has created further complexity. Employees connecting from home, from coffee shops, and from hotel networks interact with corporate resources over connections that do not pass through the corporate firewall at all.
What a Modern Defence Needs
Defence in depth means layering controls so that no single failure results in a breach. Web application firewalls (WAFs) sit in front of web applications and filter malicious request patterns. Endpoint detection and response (EDR) tools monitor for suspicious behaviour on individual devices regardless of how the attacker got there.
Email security controls DMARC, DKIM, SPF, and a capable secure email gateway address the phishing vector that bypasses perimeter firewalls entirely. Multi-factor authentication reduces the value of compromised credentials.
Vulnerability scanning services provide continuous visibility into your exposed attack surface. Where a firewall blocks threats, scanning tells you what is reachable and whether it contains exploitable weaknesses.
Rethinking the Security Model
Organisations that treat the firewall as their primary security control are operating with a model built for a threat landscape that no longer exists. The perimeter has dissolved. Attackers operate through permitted channels, exploit trusted relationships, and target endpoints rather than pushing through firewalls.
The right framing is not ‘how do we keep attackers out’ but ‘how do we detect and contain them when they get in.’ Firewalls remain a useful component of that response. They just cannot be the whole answer.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
“Firewalls are necessary but nowhere near sufficient. The attacks that cause real damage almost always operate through channels the firewall permits. Building detection and response capability is just as important as perimeter control.”
