Firewall is one of those words that gets thrown around in IT conversations without much explanation. Most people know it has something to do with security, but fewer understand what it actually does; or why the firewall built into a consumer router isn’t the same thing as a proper business firewall.
What a Firewall Does
A firewall monitors and controls network traffic based on a set of rules. It sits between your internal network and the outside world; or between segments of your internal network, and decides what traffic is allowed through and what gets blocked.
At its most basic, a firewall works like a security checkpoint. Every packet of data trying to enter or leave your network is inspected against the ruleset. Traffic that matches an allowed rule passes through. Traffic that doesn’t is dropped.
Without a firewall, your network has no meaningful barrier between your devices and the internet. Any device, service, or attacker that can reach your IP address can attempt to connect to anything on your network.
Types of Firewall
Packet Filter
The oldest and simplest type. Inspects packets based on source and destination IP address, port, and protocol. Fast, but limited, it can’t understand the context of a connection or inspect the content of traffic.
Stateful Firewall
An improvement on packet filtering. A stateful firewall tracks the state of active connections, so it knows whether an incoming packet is part of an established, legitimate session or an unsolicited attempt to connect. This is the minimum standard for any serious network security.
Next-Generation Firewall (NGFW)
A modern firewall that goes beyond stateful inspection. An NGFW can:
- Inspect the content of traffic, not just the headers
- Identify applications regardless of port (so it can block, for example, social media on port 443 even though that port is normally used for HTTPS)
- Detect and block intrusion attempts (IDS/IPS)
- Filter web traffic by category
- Decrypt and inspect encrypted HTTPS traffic
- Integrate with threat intelligence feeds to block known malicious IPs and domains
For business use, an NGFW is the relevant category. Products from Sophos, Fortinet, Cisco, and others all fall into this group.
Hardware vs Software Firewalls
Hardware firewall: A dedicated physical device that sits at the edge of your network: between your modem and your internal switch. All traffic entering and leaving your network passes through it. This is the standard approach for business networks.
Software firewall: Runs on an individual device, the firewall built into Windows, for example. Protects that device only. Useful as a secondary layer but not a substitute for a network-level firewall.
Cloud-managed firewall: Hardware at your premises, managed and monitored through a cloud platform. Sophos Central, for example, lets you manage multiple firewalls across multiple sites from a single dashboard. This is increasingly the standard for MSP-managed environments.
What About the Firewall in My Router?
Most consumer routers include a basic firewall. Typically stateful packet inspection plus NAT (Network Address Translation). NAT means your internal devices share a single public IP address, which incidentally hides them from direct external access.
This provides a basic level of protection. But it’s not the same as a business-grade firewall:
- No application awareness
- No IDS/IPS
- No web filtering
- No SSL inspection
- Limited logging and visibility
- No centralised management
For a home or very small office with basic requirements, a router’s built-in firewall may be adequate. For any business handling sensitive data, processing payments, or with more than a handful of staff, a dedicated firewall is worth the investment.
What a Firewall Doesn’t Do
A firewall is one layer of security, not a complete solution. It won’t protect you from:
- Phishing emails that arrive through legitimate mail channels
- Malware downloaded by a user who clicks a malicious link
- Attackers who compromise valid credentials and log in normally
- Threats that originate inside your network
This is why security professionals talk about defence in depth, multiple overlapping layers rather than a single barrier. A firewall is an important layer, but it works alongside endpoint protection, email filtering, MFA, staff training, and other controls.
Do You Actually Need One?
If your business:
- Has more than a handful of devices on a shared network
- Handles any sensitive customer or financial data
- Processes payments
- Has staff working with confidential information
- Is subject to any compliance requirements
…then yes, a dedicated firewall is appropriate. The question is what type and how it’s managed, not whether to have one at all.
For very small operations (a home-based business) the combination of a router’s built-in firewall, Windows Defender, and sensible security practices may be sufficient for now. As the business grows, that changes.
Popular Options for SMEs
- Sophos Firewall — strong NGFW features, cloud-managed via Sophos Central, well-suited to MSP-managed environments
- Fortinet FortiGate — widely deployed, strong performance, good value at SME scale
- pfSense / OPNsense — open source options that deliver enterprise-grade features at no software cost; covered in detail in our networking series
- Cisco Meraki — cloud-managed, strong visibility and reporting, sits at a higher price point