What Does a Firewall Actually Do?

Given that the average data breach in 2017 cost companies about $3.6 million1, most small businesses can't afford not to protect themselves from malicious traffic, phising, and other security facts. But before you run out and buy uber-expensive antivirus software, get the facts on what a firewall is and how it can protect your business.

If movies were anything to go by, firewalls would be one of the most inefficient ways to protect your company’s computers and other devices.

Fortunately, we don’t live in an Italian Job–esque world where firewalls can be hacked at the drop of a hat. In fact, firewalls are one of the top ways to block malicious traffic from accessing your company’s internal network.

Confused? Not to worry—we’re here to break down how exactly a firewall secures your data, the essential security features a firewall can offer, and the different types of firewall systems that currently exist for Windows and Apple devices alike.

Firewalls at a glance

Every office (or home, for that matter) forms a local internal network of devices, which may include your computers, printers, TVs—basically anything that’s connected to the internet. Devices on your internal network can communicate directly with each other, which is how you’re able to print something from your computer when you’re not directly connected to the printer.

The problem? Without adequate protection, anyone can access your devices and use your internal network to hijack your business’s data, steal trade secrets, or commit identity theft. If external traffic has free reign within your internal network, attackers may even be able to control office cameras and spy on your employees.

While there are a few types of firewalls, they pretty much all do the same job: they protect your data by blocking unauthorized traffic to your internal network. In addition, some firewall providers up the ante with extra security features:

  • Easier secure file sharing across multiple business locations
  • Protection against phishing scams
  • Antivirus protection to cover other security vulnerabilities within your network
  • Site blocking (so you can prevent employees from accessing potentially dangerous websites)
  • Monitored internet usage

Hardware and software firewalls each feature their own pros and cons, so read on to find out more about the different types of firewalls available.

A note about next-generation firewalls

“Next-generation” firewalls are a big trend in the antivirus and online security industry. But what makes a firewall next-gen? Honestly . . . nobody’s really sure. While most next-gen firewalls feature a cocktail of security features (like deep packet inspection and complex encryption), there are no set qualifications that make a firewall next-gen. Long story short: beat the matrix and ignore the “next-generation” marketing.

Software firewalls

  • Protects individual devices
  • May include antivirus software
  • Comes pre-installed on many computers
  • Protects only one device
  • Must be updated on each individual computer anytime you change security protocols
  • May be disabled by employees

Software firewalls are security programs that you can install on your Windows and Mac computers (and other devices) within your internal network.

Think of software firewalls as the tin foil hat of security features (assuming that tin foil hats actually worked, that is). Basically, they block all external traffic from accessing your computer’s data and functions—unless that external traffic meets specific qualifications set by you.

For example, you can set up your firewall so only devices on your Wi-Fi network can access your computer. That way, you can enjoy secure file sharing, stream presentations from your computer to a nearby smart TV, and use other internal network features while still blocking unfriendly traffic.

Software firewalls can also include extra security features and antivirus protection, but they can only protect the device they’re installed on. After all, software firewalls are tin foil hats, not lead-lined bunkers—they can’t provide protection for the whole group.

Software firewalls can only protect the device they’re installed on.

On the one hand, that’s good. If each device on your network has its own software firewall protection, then a breach will only compromise the one device affected—it won’t contaminate your entire network and leave all your data exposed. Protection on individual devices also keeps your company data secure if an employee ever takes their computer home or connects to Wi-Fi in a coffee shop.

The problem with software firewalls is they may be too difficult to update if you’re running a medium to large business. Anytime you need to update a security protocol, your IT team must implement those changes on every single computer within your company. That’s a pretty big time suck for both your IT department and the rest of your employees—especially compared to hardware firewalls, which allow you to update your firewall settings in one centralized place (like a server or router).

There’s also the risk that your employees will disable their device’s firewall, making their computer (and your business) vulnerable to attack.

Does my Windows or Mac computer include firewall protection?

Most current versions of Windows and iOS do include firewall software. However, while the Apple operating system comes with firewall software preinstalled, it is not automatically enabled. So if you have a Mac, be sure to enable your firewall before connecting to the internet. Windows devices, on the other hand, come with pre-enabled firewall software, so they’re ready to use right out of the box.

Application layer firewalls

There are actually two types of application layer monitoring. To explain both, it helps to imagine you’re running the mailroom for a large office building.

As the head of the mailroom, it’s your job to sort incoming letters and packages and send them to the right office in your building. In addition, you’re in charge of collecting and sending outgoing mail from those offices. But what if you notice there are a lot of letters being sent from an office that you know to be empty? That’d be suspicious, and you’d bring it up with the building owner.

Some application layer firewalls do the same thing, but with apps on your employees’ devices. The firewall monitors incoming and outgoing traffic on each app to see if any programs make internet requests or receive external traffic when they shouldn’t. That way, you can identify security breaches quickly and effectively.

The other type of application layer firewall is more like the screening employee in the mailroom—the one who actually opens letters and packages to make sure nobody in the building gets an envelope full of anthrax. This type of firewall actually checks incoming data for viruses and malware, rather than just reading the delivery address. In this case, application layer monitoring is basically just another term for a firewall and antivirus combo, which you can read more about below.

Most firewall providers make it pretty obvious which type of application layer monitoring they offer (if any). But if you’re unsure, it’s never a bad idea to contact a representative and ask for clarification.

Software firewalls with antivirus protection

Let’s be honest: when most people think of firewalls, they’re really thinking of antivirus software. And honestly, that’s understandable.

Antivirus software has a security suite of features that identify and eliminate viruses and malware on your computers. Technically, antivirus software on its own doesn’t do anything to block traffic to your devices—so it’s not a firewall. But it can detect malware hidden in your data that could be used as an “in” for an attacker looking to access your network. So a firewall and antivirus software combo is an ideal choice if you want robust network security.

Software firewalls that include antivirus software can block external traffic and filter incoming data just like a standard firewall. Plus, you get that detailed mail screening (formally called deep packet inspections) on all incoming data and files. That way, you don’t get any data or files with the online version of anthrax: malware and viruses.

That all boils down to extra protection for your whole network. And bonus! You won’t have to deal with a massive, network-wide data breach if a single employee clicks a suspicious email link.

Hardware firewalls

  • Is often less expensive than software firewalls
  • Regulates incoming and outgoing traffic
  • Can be updated once for all in-office devices
  • Leaves entire network vulnerable if it fails
  • Offers fewer antivirus options

Did you know that most Wi-Fi routers are basic security firewalls? It’s true—if your office is using a router (which you probably are), you’ve already got elementary network security.

Most offices (and homes) have only one internet “outlet.” Your router is a physical device that physically connects to your internet outlet. Then it shares that connection with all your internet-enabled devices—just like an extension cord connects all the speakers, video game consoles, and Blu-Ray players in your entertainment system to the single outlet behind the TV.

Also like extension cords, routers were only designed to flow one way. Extension cords only carry power to your TV and speakers—they weren’t designed to carry power from your TV back to the outlet. Similarly, routers are designed to allow devices on your network to access the internet, but they don’t know what to do with external traffic that tries to access your internal network. Routers automatically block those types of requests, which gives your network some basic protection from malicious traffic.

Hardware firewalls protect all the devices on your in-office network at once.

Hardware firewalls (like routers) are extremely convenient because they protect all the devices on your network. That means you don’t have to update your company’s firewall settings on every single device.

However, hardware firewalls can pose a significant danger to your company’s data if they’re breached. Think of it as a city wall during a siege. If the invading army can get past the wall, it can access everything inside—from the market to the castle. That means if your hardware firewall fails, every device within your internal network becomes vulnerable.

Furthermore, hardware firewalls can’t protect devices that aren’t connected to them (just like an extension cord can’t power a TV that isn’t plugged in). So if your employee takes their laptop to the public library and accesses the internet through an unprotected connection, their device may be vulnerable to attack (unless they have a software firewall installed).


While all broadband routers can act as firewalls, some routers are enhanced with extra security features to better protect your network from malicious traffic.

Network address translation (NAT) firewalls are pretty standard—they assign the same IP address to all devices on your network. This technique makes it look like all the computers on your network are actually just one device, masking the size of your internal network. This makes your business less of a target for attackers looking to access secure data.

Routers may also be equipped with special monitoring features. Firewall routers can monitor devices on your network for security vulnerabilities, identify infected devices, and track apps to pinpoint suspicious internet requests. Routers may also come with parental controls, which you can use to monitor and control your employees’ internet access and block requests to sites that aren’t work appropriate.

VPN routers

As we’ve already established, it’s important to secure your internal network. Basically, you want the devices within your office to be able to access file sharing, printing, and other internal functions, but you don’t want anyone outside your office to access those functions.

But what if you have remote employees or you’re managing multiple locations? In that case, you’d want those external locations to access your internal network functions. So how do you open your internal network to approved external traffic without declaring open season on your secure data?

For that, you’ll need to create a virtual private network (VPN). VPNs use encryption to create secure connections that allow remote devices and networks to connect as if they were part of an internal network. That way, your remote employees can share files, control presentations, and more as if they were physically in the office.

VPN routers allow you to use more complex firewall rules and mask the network details (like the size or location of your devices).

A VPN router is one of the most efficient ways to set up your firewalls and VPN settings. Basically, you set up VPN routers at each of your locations, which act as firewalls for each of those locations’ internal networks. These routers are specially designed to allow external traffic from approved external sources (that clear your firewall rules and VPN security protocols).

In layman’s terms, that means your VPN routers can communicate with each other directly, effectively tying each remote internal network together as part of one big private network.

Even if you’re not linking multiple business locations, VPN routers are a solid choice for businesses. They allow you to use more complex firewall rules and can help mask the size and location of your network. That gives your business an extra layer of protection so hackers can’t access your employees’ personal information, customer data, and any other sensitive data your company processes.

Load balancers

Does your company have its own server? Depending on how you use your server, you may need a more complex firewall system.

If you’re using your web server for internal use only (to store company files, for instance), you’re probably fine to use a hardware firewall system like normal. In that case, your server becomes just another device, and your firewall protects your server from external traffic in the same way it protects the devices on your internal network.

However, if you’re using your server to host data that should be available to external traffic (like websites), putting it behind a firewall will make that data inaccessible to customers. In that case, you may want to use a load balancer.

Like routers, load balancers perform basic firewall duties as a side effect of their design.

A load balancer is a good idea anyway because it distributes incoming traffic across your servers so that no one server gets shut down because it’s overwhelmed with external traffic requests. This keeps your websites running quickly and protects you from DDOS (distributed denial of service) attacks.

But like routers, load balancers also perform basic firewall duties as a side effect of their design. Load balancers have to examine incoming traffic so they can delegate requests to the right servers. If an incoming traffic request doesn’t pass muster, the load balancer drops the request automatically, thereby protecting your servers from malicious traffic.

Load balancers only offer basic protection, though, and they may not be enough to protect your entire internal network. So if you use a load balancer as firewall protection for your servers, make sure to use an extra firewall solution to protect your internal network devices as well.

The takeaway

To do business efficiently, it’s important to take advantage of internal network functions like file sharing and printing. But without adequate protection, malicious attackers can use these functions to access your company’s data—potentially costing you millions.

Firewalls can help you protect the data on your employees’ devices by restricting access to those devices from external traffic. You can install firewall software to protect individual computers within your network, use a router (or hardware firewall) to secure all devices on your internet connection, or a combination of both. You can also up your cybersecurity game with extra protection, like a VPN router, antivirus software, or a load balancer.

There’s no single right answer for how to protect your business. But hopefully, we’ve given you the information you need to figure out the right type of firewall for your needs.

Now that you have an idea of what firewalls actually do and the types available, check out our list of the top firewall options for businesses.


At Business.org, our research is meant to offer general product and service recommendations. We don’t guarantee that our suggestions will work best for each individual or business, so consider your unique needs when choosing products and services.