What Is a Firewall and Does Your Business Need One?

Every business connected to the internet needs a firewall. That's not a sales pitch — it's basic network security. But "firewall" is a term that gets used loosely, covering everything from the software on your laptop to enterprise hardware that costs tens of thousands of dollars. Understanding what each type does (and doesn't do) helps you figure out what your business actually needs.

What a Firewall Does

A firewall monitors network traffic and decides what to allow and what to block based on a set of rules. Traffic flows in two directions — into your network from the internet, and out from your network to the internet — and a firewall controls both.

At its most basic, a firewall blocks incoming connections to services you're not running. If your business doesn't have a public-facing web server, there's no reason for incoming web traffic to reach your internal network. A firewall enforces that.

At a more sophisticated level, a firewall inspects the content of traffic, not just where it's coming from and going. It can detect patterns associated with attacks, block known malicious destinations, enforce policies about what internal users can access, and log everything for review.

Types of Firewalls

Packet filtering firewalls are the oldest type. They look at the source and destination IP address and port of each packet and decide whether to allow or block it. They're fast and simple, but they don't inspect the content of traffic — they only look at the envelope, not what's inside.

Stateful inspection firewalls track the state of network connections. They know whether a packet is part of an established, legitimate connection or something that arrived unexpectedly. This catches a range of attacks that packet filtering misses, and it's the standard minimum for business networks.

Next-generation firewalls (NGFW) do everything stateful firewalls do, plus deep packet inspection (looking at the actual content of traffic), application awareness (identifying what application is generating the traffic, not just what port it's using), intrusion prevention, SSL/TLS inspection, and integration with threat intelligence feeds. These are the standard for serious business security.

Web application firewalls (WAF) are a specialized type designed to protect web applications. If your business runs a public-facing web application — a customer portal, an e-commerce site, a booking system — a WAF sits in front of it and filters out common web attacks like SQL injection and cross-site scripting. A network firewall doesn't do this.

Hardware vs. Software Firewalls

Most computers and servers come with a software firewall built in — Windows Defender Firewall, for example. This provides basic protection at the device level, filtering traffic to and from that specific machine.

A hardware firewall (or a dedicated firewall appliance) sits at the perimeter of your network, between your internal network and the internet. It protects all devices on your network at once, and it can do more sophisticated inspection because it's dedicated hardware running purpose-built software.

For a business, you want both: a perimeter firewall protecting the network, and software firewalls on individual devices as a second layer.

What a Firewall Doesn't Do

This is the part that gets businesses in trouble. A firewall is necessary but not sufficient.

A firewall doesn't stop phishing attacks. When an employee clicks a malicious link in an email, that connection is initiated from inside your network — it looks like legitimate outbound traffic to the firewall.

A firewall doesn't protect against compromised credentials. If an attacker has a valid username and password for your VPN or remote access system, they can connect through the firewall legitimately.

A firewall doesn't stop malware that arrives via USB, email attachments opened on an endpoint, or software downloaded and run by users.

A firewall doesn't replace proper endpoint security, email security, multi-factor authentication, or user training. It's one layer of a multi-layer defense.

What Most Small Businesses Actually Need

For a small business with a typical office setup — a handful of employees, a local network, Microsoft 365 or Google Workspace, maybe a line-of-business application — the baseline should be:

A next-generation firewall at the network perimeter. Vendors like Fortinet, Sophos, and Cisco Meraki make models appropriate for small business environments. These typically run $500–$2,000 for the hardware plus annual licensing for threat intelligence updates.

Software firewalls enabled on all endpoints. This is already the default on Windows and macOS — just make sure it hasn't been disabled.

A managed firewall service or someone who reviews the logs. A firewall that's configured and then never reviewed is better than nothing, but not by much. Firewall logs show attempted attacks, unusual traffic patterns, and policy violations — that information is only useful if someone looks at it.

If your business has a public-facing web application, add a WAF to that list.

Cloud and Remote Work Considerations

If your team works remotely or uses cloud services, the traditional perimeter firewall model needs updating. When employees work from home, they're outside your perimeter firewall. When your data lives in Microsoft 365 or a SaaS application, it's outside your perimeter too.

This has pushed many organizations toward cloud-based security models — where security controls travel with the user and the data, rather than sitting at the edge of a physical office network. Tools like cloud-delivered NGFW (Fortinet, Palo Alto, Zscaler) and Zero Trust Network Access (ZTNA) solutions handle this.

For a small business, the practical implication is: make sure your remote workers have software firewalls on their devices, use a VPN or Zero Trust access solution to connect to internal resources, and ensure your Microsoft 365 or cloud platform has its own security controls enabled — not just the network firewall.

How to Evaluate What You Have

If you're not sure what firewall protection you currently have, these are the questions to ask your IT team or provider:

• What firewall is protecting our network perimeter, and when was it last updated?
• Is deep packet inspection and intrusion prevention enabled?
• Who reviews the firewall logs, and how often?
• How are remote workers protected when they're off the office network?
• Do we have a WAF if we run any public-facing web applications?

If the answers are vague, that's a signal worth acting on.