Your firewall is important, but it’s just not enough.
For years, the security model was simple: build a strong perimeter around your network. Put up a firewall, lock down the border, and keep the bad guys outside. Everything inside the perimeter was trusted, and everything outside was a threat.
This worked reasonably well when your business operated from a single office, employees worked at desks connected to your network, and applications ran on servers in your closet.
That’s not how businesses operate anymore.
Your employees work from home, coffee shops, and airports. Your applications run in the cloud. Your data lives on SaaS platforms. Your partners need access to your systems. Your customers interact directly with your services.
The perimeter you’re trying to protect no longer exists. And the threats you’re defending against? Many of them are already inside.
The Castle Wall Model Is Broken
Traditional perimeter security works like a castle: build high walls, guard the gates, and assume everything inside is safe while everything outside is dangerous.
Firewalls embody this model. They sit at the network boundary, inspecting traffic coming in and going out, blocking what looks suspicious and allowing what seems legitimate.
This creates a fundamental problem: once something gets past the firewall, it’s trusted.
An attacker who compromises an employee’s laptop through phishing now has a trusted device inside your network. That laptop passes right through your firewall because it’s coming from inside. The malware can spread laterally, access internal systems, and exfiltrate data, all while your firewall sits there protecting a perimeter that’s already been breached.
Your firewall stopped exactly zero of this attack because the attack didn’t come through the firewall. It came through your employee’s email.
Where Threats Actually Come From
Let’s look at how businesses actually get compromised:
- Phishing emails trick employees into clicking malicious links or downloading infected attachments. These come through email, not through your firewall. Your firewall never sees them.
- Compromised credentials from password reuse, data breaches at other companies, or weak passwords. Attackers log in using legitimate credentials. Your firewall sees this as normal, authorized access.
- Vulnerable web applications that get exploited through SQL injection, cross-site scripting, or business logic flaws. Your firewall allows web traffic; that’s its job. It can’t distinguish between legitimate user activity and exploitation attempts that appear to be normal web requests.
- Insider threats from employees, contractors, or partners who already have authorized access. The firewall isn’t designed to keep people who are supposed to be inside out.
- Cloud service compromise where attackers breach your SaaS provider, access your data through APIs, or exploit misconfigurations in your cloud environment. Your firewall doesn’t protect cloud services it doesn’t control.
- Supply chain attacks through compromised software updates, malicious code in third-party libraries, or breaches at vendors who have access to your systems. These come through trusted channels that your firewall explicitly allows.
- Remote access exploitation through VPNs, remote desktop, or cloud access that bypasses your firewall entirely or uses credentials your firewall trusts.
Notice a pattern? Most modern attacks don’t involve breaking through your firewall. They involve going around it or exploiting trust after getting past it.
The Trust Problem
What about remote employees? Are they inside or outside the perimeter? Their devices are “inside” when they’re on the VPN but “outside” when they’re not. The same device changes trust levels based on network location, which makes no sense.
What about cloud services? Your data in Microsoft 365 or Salesforce isn’t behind your firewall. Your firewall can’t inspect what happens there. Is that data inside your perimeter or outside?
What about partners and contractors? They might need access to specific systems. Do you put them inside the firewall (giving them access to everything internal) or outside (requiring complex access through the firewall)?
What about mobile devices? Employees access company email and data from phones that are never behind your firewall. Are those trusted or untrusted?
The binary trust model breaks down when the perimeter disappears.
Lateral Movement: The Real Problem
Let’s say your firewall successfully blocks 99% of attack attempts from the internet. Great. But that 1% that gets through, maybe via a phishing email, a compromised credential, or an exploited web vulnerability, is now inside your trusted network.
What happens next? In traditional perimeter security models, that attacker has relatively free movement inside the network. Internal systems trust other internal systems. Employees can access multiple systems with the same credentials. Network segmentation is minimal or non-existent.
The attacker who got past your firewall can now:
- Move laterally from the compromised system to other internal systems
- Escalate privileges from normal user to administrator
- Access sensitive data across different systems
- Establish persistent access through multiple entry points
- Exfiltrate data over time without triggering alarms
Your firewall defended the perimeter successfully 99 times. But the one breach that succeeded had access to everything because internal trust was implicit.
This is how sophisticated breaches work: initial compromise through a method that bypasses perimeter defenses, followed by weeks or months of lateral movement and data gathering before detection.
What Actually Works: Defense in Depth
The solution isn’t getting rid of your firewall. It’s recognizing that your firewall is one layer of security, not your entire security strategy.
Effective security requires multiple layers that assume breaches will happen:
- Zero-trust architecture that verifies every access request regardless of network location. Don’t trust based on network position; trust based on identity, device health, and context.
- Endpoint protection that detects malicious behavior on devices even after they’re compromised. Firewalls don’t protect the endpoints themselves.
- Multi-factor authentication that prevents credential compromise from granting full access. Even if attackers steal passwords, they can’t get past MFA.
- Network segmentation that limits lateral movement. The compromise of one system shouldn’t mean the compromise of all systems.
- Application security that protects web applications from exploitation. Firewalls allow web traffic through, and application security helps ensure that traffic doesn’t exploit vulnerabilities.
- Email security that stops phishing and malicious attachments before they reach users. This addresses the attack vector that bypasses firewalls entirely.
- Monitoring and detection that identifies suspicious behavior inside your network. Assume things get past your perimeter and watch for what happens next.
- Access controls that limit what each user and system can access based on need. Reduce the damage from any single compromise.
None of these replaces your firewall. They complement it by addressing the threats that perimeter security doesn’t stop.
The Shift to Identity-Based Security
Modern security increasingly focuses on identity rather than the network perimeter.
Instead of asking “Is this request coming from inside or outside our network?” the question becomes “Is this the right person, using the right device, in the right context, trying to access resources they should have access to?”
This shift recognizes that:
- Users and devices are mobile and work from anywhere
- Applications and data live in the cloud outside traditional perimeters
- Network location is no longer a reliable indicator of trust
- Threats come from inside as often as outside
Identity becomes the new perimeter. If you can verify who someone is, what device they’re using, and whether their behavior is normal, you can make access decisions regardless of network location.
This is why modern security emphasizes:
- Strong authentication (MFA)
- Device health verification
- Behavioral analytics
- Least-privilege access
- Continuous authorization (not just login)
Your firewall doesn’t do any of this. It can’t, because it only sees network traffic, not identity and context.
The Cloud Changes Everything
Cloud adoption has fundamentally broken perimeter security models.
When your applications ran in your data center, your firewall sat between users and applications. You could inspect and control all traffic.
Now your applications run in AWS, Azure, or Google Cloud. Your data lives on SaaS platforms such as Microsoft 365, Salesforce, and Slack. Your firewall doesn’t sit between users and these services; users connect to them directly over the internet.
You can force all traffic through your firewall using techniques like backhauling VPN traffic, but this creates a terrible user experience, adds latency, and doesn’t actually improve security. Your firewall can’t inspect encrypted traffic to cloud services anyway.
Cloud security requires different approaches:
- Cloud access security brokers (CASBs) that monitor SaaS usage
- Cloud-native security tools that protect workloads in AWS/Azure/GCP
- API security that protects service-to-service communication
- Identity and access management for cloud resources
Your firewall isn’t designed for any of this. It’s designed for a network perimeter that doesn’t exist in cloud-centric environments.
What Your Firewall Actually Does Well
None of this means firewalls are useless. They’re just not sufficient.
Firewalls still provide value:
- Blocking obviously malicious traffic from known bad sources
- Preventing direct access to internal systems from the internet
- Controlling outbound traffic to prevent data exfiltration through certain channels
- Creating basic network segmentation
- Providing visibility into network traffic patterns
Keep your firewall. Keep it updated and configured properly.
Just don’t assume it’s protecting you from modern threats. It’s one layer of many you need.
The Bottom Line
Perimeter security made sense when businesses operated from fixed locations with defined network boundaries. It makes much less sense when employees work from anywhere, applications live in the cloud, and threats come from inside as often as outside.
Your firewall isn’t enough because:
- Most attacks bypass the perimeter entirely through phishing, compromised credentials, or web application exploitation
- Cloud services sit outside your traditional perimeter
- Remote work means the perimeter is everywhere and nowhere
- Lateral movement inside your network is often undetected
- Identity matters more than network location
Effective security requires layers that assume breaches will happen:
- Strong authentication that survives credential theft
- Endpoint protection that detects compromised devices
- Network segmentation that limits lateral movement
- Monitoring that identifies suspicious behavior inside your network
- Access controls that limit damage from any single compromise
Your firewall is the foundation, not the entire building. Build the rest of the structure on top of it.
MainNerve: Test Your Defenses Beyond the Perimeter
MainNerve’s penetration testing doesn’t just check if your firewall blocks attacks. We test what happens when attackers get past your perimeter defenses, because that’s where real breaches happen.
We simulate how attackers move laterally inside your network, escalate privileges, access sensitive data, and establish persistence. We test your internal controls, not just your perimeter.
Because modern breaches don’t end at the firewall, they begin there.
Ready to see what attackers can do once they’re inside your network? Contact MainNerve to discuss penetration testing that goes beyond perimeter security to test your actual defenses against modern attack methods.
Your firewall isn’t enough. Find out what else you need.
