What Firewalls Can — and Can't — Accomplish

Dark Reading logo

Understanding the limitations of firewalls is important to protecting the organization from evolving threats.

As seen on Dark Reading by Pat McGarry

Firewalls were born in the 1990s, alongside Windows 95 and Internet Explorer. They’ve been a staple of network security since, which prompts the question: Are firewalls still relevant? The determining factor is whether firewalls have grown with the changes we’ve seen in technology or if they’ve just stayed in line with the technology of the 1990s and early 2000s. 

How Firewalls Work & How They Don’t

Firewalls work primarily on the principle of deep packet inspection. Data packets are the units of information that constitute any type of Internet traffic, including Web traffic. They protect networks by checking the payload of every data packet trying to enter or leave a network and blocking any packets that contain malicious content. Content typically is defined as malicious through a series of rather complex policies and rules.

Today, data is almost always encrypted. Encryption ensures that good incoming and outgoing traffic is protected from prying eyes, but, unfortunately, it also hides bad incoming and outgoing traffic. Some firewalls can de-encrypt data packets, check their payload, and then re-encrypt them, but this process is computationally intensive and can bog down the network significantly. Also, this process is not always an available option given how many modern security protocols block the types of man-in-the-middle operations required for full-blown SSL inspection.

Leveraging IP Addresses

Indeed, deep packet inspection is becoming an antiquated security practice, but there are other ways to identify whether specific activity is malicious.

For example, some organizations blacklist malicious Web domains, then automatically block traffic from those sites, while others use tactics such as SIEM log analysis. However, these types of monitoring and alert systems are reactive: They tell you that you’ve been attacked, but don’t block the malicious traffic that can cause an attack. 

I staunchly believe in multifaceted security, with a simple set of three starting points:

  1. Don’t reuse passwords.
  2. Regularly update your software.
  3. Use the truest lowest-common-denominator of Internet traffic — the IP address itself — to your advantage, as a key foundational tenet of your cyber security stack.

It’s the third leg of that stool that can help ensure that your organization achieves a proactive posture when it comes to malicious traffic.

Since all traffic is identified by a unique IP address, focusing on IP is a simple way to identify and block any packets coming from or going to known malicious sources — without ever needing to check their contents. It doesn’t matter if the data being transferred is encrypted or not.

Surprisingly to some, firewalls can’t and don’t perform this function very well because you need a very different hardware and software architecture to achieve deep packet inspection versus achieving IP filtering at scale. 


While firewalls are a very important tool in organizations’ security arsenals, it’s important to align security solutions with security threats. As cyberattacks evolve, organizations should consider the kinds of tools that will be needed to complement and shore up firewall protection.