Your Firewall Is Not a Security Strategy

A firewall handles the perimeter. The real security problems are usually inside it — and a single appliance was never meant to carry that entire burden.

A few years ago, I was asked to investigate a small business network after a ransomware incident. The first thing management wanted to discuss was the firewall.

They had recently purchased a new one.

It was a reputable product, properly licensed and fully operational. On paper, it should have been doing everything they expected.

The problem wasn’t the firewall.

The problem was that every workstation sat on the same network, several systems hadn’t been patched in months, multiple staff shared passwords, and remote access had been opened up years earlier with little oversight.

The firewall became the obvious thing to blame because it was visible. The real issues were buried inside the network.

After reviewing countless small business environments over the years, I’ve noticed the same pattern repeatedly: many organisations view the firewall as the security solution when it’s really just one piece of the puzzle.

A good firewall is important. It just isn’t a complete security strategy.

What Firewalls Actually Do Well

Firewalls are extremely valuable tools.

They help control traffic entering and leaving your network. They can block unwanted connections, inspect traffic, filter malicious activity and provide visibility into what’s happening at the network edge.

For most businesses, the firewall serves as the primary gatekeeper between internal systems and the internet.

That’s an important job.

A properly configured firewall can reduce exposure to unnecessary services, limit attack surfaces and help identify suspicious activity before it becomes a bigger problem.

In many environments, the firewall is doing exactly what it was designed to do.

Unfortunately, people often expect it to solve problems that aren’t firewall problems.

What Firewalls Can’t Protect You From

A firewall has limited visibility into day-to-day behaviour inside your network.

It cannot prevent an employee from using a weak password.

It cannot force someone to apply software updates.

It cannot automatically redesign a poorly structured network.

It also cannot compensate for years of neglected infrastructure decisions.

I’ve reviewed environments where the firewall logs showed nothing unusual because the problem never crossed the firewall in the first place. The issue was entirely internal.

When organisations rely on a single device to carry the entire security burden, gaps inevitably appear.

Flat Networks Create Big Problems

One of the most common issues I encounter is the flat network.

In a flat network, nearly everything lives on the same segment. Workstations, servers, printers, network equipment, security cameras and other devices can often communicate freely with one another.

This approach is simple to deploy, but it creates unnecessary risk.

If one device becomes compromised, moving around the network becomes much easier.

I’ve walked into environments where accounting systems, production systems and guest devices were effectively neighbours on the same network.

Management often assumed the firewall was protecting them.

The firewall was doing its job at the perimeter. The problem was the lack of separation inside the network itself.

Poor Password Practices Still Cause Real Problems

Technology can only do so much.

I’ve seen expensive security appliances protecting networks where users shared passwords through email, reused the same credentials across multiple systems or kept passwords written on sticky notes.

No firewall can fix that.

Strong password policies and multi-factor authentication eliminate a surprising number of common problems before they start.

They’re not exciting infrastructure upgrades, but they consistently provide value.

Good security often comes from simple habits rather than expensive hardware.

Unpatched Systems Don’t Become Safe Behind a Firewall

Another common misconception is that systems become secure simply because they’re sitting behind a firewall.

They don’t.

Operating systems, applications and network devices all require maintenance.

I’ve reviewed environments where servers hadn’t been updated for years because somebody assumed the firewall provided enough protection.

In reality, those outdated systems often represented the greatest risk in the environment.

A firewall can reduce exposure.

It cannot replace routine maintenance.

Keeping systems updated remains one of the most practical ways to reduce avoidable problems.

Segmentation Makes Networks Easier to Protect

When experienced engineers design networks, they usually think about separation.

Servers may sit on their own network. User devices may sit on another. Guest Wi-Fi may be completely isolated. Management interfaces may be restricted to specific administrative systems.

This is segmentation.

The goal isn’t complexity for its own sake.

The goal is reducing unnecessary communication between devices.

If an issue occurs in one area, segmentation helps prevent it from affecting everything else.

Many of the environments I’ve helped clean up would have benefited far more from basic segmentation than from replacing perfectly good firewall hardware.

From Amazon.ca

Managed switches with VLAN support are the practical foundation of network segmentation. TP-Link, Netgear, and Mikrotik all make options suitable for small business and enterprise environments at different price points — Browse options on Amazon.ca

Remote Access Is Often the Real Issue

Remote access is another area where problems frequently appear.

Years ago, many businesses enabled remote connections as quickly as possible to keep operations moving.

In some cases, those temporary solutions became permanent.

I’ve found old remote access accounts that were never removed, overly permissive VPN configurations and systems exposed directly to the internet without clear justification.

When problems eventually occur, attention often turns to the firewall.

But the firewall simply allowed access based on rules that somebody created.

The real issue was how remote access had been designed and maintained.

Weak Wi-Fi Security Creates Internal Risk

Many small businesses focus intensely on protecting their internet connection while paying very little attention to wireless security.

I’ve seen shared Wi-Fi passwords that hadn’t changed in years.

I’ve seen guest networks connected directly to internal business resources.

I’ve seen former employees who likely still knew the wireless credentials long after leaving the company.

Good Wi-Fi design matters.

Separate guest access, strong authentication and proper network segmentation often provide more practical protection than many organisations realise.

Security Is About Layers

The most experienced engineers I know rarely talk about a single device when discussing security.

They think about layers.

The firewall is one layer. Identity management is another. Patching is another. Network segmentation is another. Wi-Fi design is another. Backup and recovery planning is another.

Each layer helps compensate for weaknesses elsewhere.

That’s important because no technology is perfect.

Eventually, something will fail, be misconfigured or be overlooked.

Well-designed environments account for that reality.

Focus on the Network, Not Just the Firewall

If you’re evaluating the security of your environment, start by looking beyond the firewall.

Ask whether systems are segmented appropriately. Review remote access. Patch neglected systems. Improve password practices. Evaluate wireless security. Document how critical systems communicate.

A quality firewall is absolutely worth having.

But after reviewing many small business networks over the years, I’ve learned that the strongest environments are rarely the ones with the most expensive firewall.

They’re the ones where the overall network was designed thoughtfully from the beginning.


Questions or corrections? info@mb-networks.ca