Firewall Basics: What They Do and What You Need

Your network faces constant probes. Port scans happen continuously across the internet—automated systems looking for open doors. Without a firewall, every open port on every device is a potential entry point.

For Gulf Coast small businesses, this isn't abstract. Seafood distributors, boatyards, medical offices, and retail shops all store valuable data: customer payment information, employee records, vendor contacts. Unprotected networks get exploited.

A firewall is your first line of defense.

What a firewall actually does

A firewall filters network traffic. It decides what enters and leaves your network based on rules you define.

Think of it like a security guard at a building entrance:

• The guard has a list of who's allowed in
• They check credentials before letting people pass
• They block anyone who doesn't match the approved list

Firewalls do the same thing for data packets crossing your network boundary.

Types of firewalls

Consumer/SOHO router with basic firewall

Most small businesses use the router provided by their internet provider. It has a firewall built in.

What it does: Blocks incoming connections by default, NAT (Network Address Translation) hides your internal devices from the internet.

What it doesn't do: Advanced threat detection, application-layer filtering, granular control.

Cost: Included with your router (typically $0-$200 one-time)

Good enough for: Very small businesses (1-3 employees) with minimal security requirements and no valuable data.

Unified Threat Management (UTM) appliance

These are purpose-built security devices designed for small businesses.

Features typically included:

• Stateful packet inspection
• Intrusion detection/prevention
• Web content filtering
• Spam filtering
• VPN support
• Malware scanning

What it does: Comprehensive protection with a single device. Easier to manage than a collection of separate tools.

What it doesn't do: Advanced threat hunting, 24/7 monitoring, or AI-driven analysis (available in higher-end models).

Cost: $500-$2,500 for the appliance, $300-$1,500/year for subscriptions and support

Good enough for: Most small businesses (5-30 employees) with standard security needs.

Next-Generation Firewall (NGFW)

Enterprise-grade firewalls with advanced capabilities.

Features:

• Application-layer awareness (sees what apps are running, not just ports)
• Advanced threat protection
• User-identity based policies
• SSL/TLS inspection
• Sandboxing

What it does: Deep inspection of all traffic, including encrypted connections.

What it doesn't do: Replace endpoint protection, security training, or comprehensive security strategy.

Cost: $2,000-$10,000+ for the appliance, $1,000-$5,000+/year for subscriptions

Good enough for: Businesses with compliance requirements (HIPAA, PCI-DSS), those handling sensitive data, or businesses that have experienced security incidents.

Cloud-based firewall / Firewall-as-a-Service

Security filtering happens in the cloud, not on-premises.

What it does: Protects all your locations and remote workers through a single cloud service. No hardware to maintain.

What it doesn't do: Replace on-premises firewall for local network segmentation or latency-sensitive applications.

Cost: $5-$20 per user per month, or $200-$2,000/month for business plans

Good enough for: Businesses with multiple locations, remote workers, or those moving away from on-premises security hardware.

What can go wrong

Default configuration. Most firewalls ship with reasonable defaults but aren't optimized for your specific business. Running on defaults leaves gaps.

Overly permissive rules. "Allow everything" rules defeat the purpose of having a firewall. Rules should be specific and minimal.

Outdated firmware. Firewalls need updates like any other software. Unpatched firewalls have known vulnerabilities.

No rules, no protection. A firewall with no rules isn't a firewall—it's a router. Every firewall needs configuration.

Single point of failure. If your firewall fails and you have no backup, your network is exposed. High-availability options exist but cost more.

Encrypted traffic blind spots. Most malware hides inside encrypted connections. Firewalls that don't inspect SSL/TLS miss a lot of threats.

What it costs

| Firewall Type | Hardware Cost | Annual Cost | |---------------|---------------|-------------| | Router firewall | $0-$200 | $0 | | UTM appliance | $500-$2,500 | $300-$1,500 | | NGFW | $2,000-$10,000 | $1,000-$5,000+ | | Cloud FWaaS | $0 | $500-$5,000/month |

Beyond the hardware, factor in:

• Subscription licenses (usually required for threat signatures and support)
• Installation and configuration (DIY or professional)
• Ongoing management time or managed services cost
• Replacement on failure (plan for this at year 3-5)

The minimum viable firewall

Every business needs:

1. A device that blocks unsolicited inbound connections
2. Default-deny stance: only allow traffic you explicitly need
3. Updates applied within 30 days of release
4. Someone who knows the configuration

If your current setup doesn't meet these four requirements, you're underprotected.

Vendor questions (copy/paste)

For any firewall vendor:

• "What's included in the annual subscription? Do I need it?"
• "How many devices/users can this support? What's the performance at capacity?"
• "What's the management interface like? Can I manage it myself?"
• "What happens if the appliance fails? Is there a warranty/replacement program?"
• "How long does it take to set up and configure? Do you offer professional installation?"

Specific capability questions:

• "Does it inspect encrypted traffic (SSL/TLS)? How much does that slow things down?"
• "Can it filter web content by category? Can I block social media during work hours?"
• "Does it support VPN connections for remote workers?"
• "Can it create separate network segments (VLANs)?"

Minimum viable implementation

Step 1: Assess what you have Check if your current router has firewall capabilities. Most business-class routers do, even if you're not using them.

Step 2: Enable and configure basic protection

1. Block all inbound connections by default
2. Only open ports you actually need (web = 80/443, email = 25/587/993, etc.)
3. Disable remote management on WAN interface
4. Change default admin password
5. Enable firmware auto-updates

Step 3: Add a dedicated UTM appliance If you're using a consumer router or need more protection, add a business UTM (Ubiquiti Security Gateway, Fortinet FortiGate, Cisco Meraki, SonicWall).

Step 4: Review rules quarterly Firewall rules accumulate. Old rules for defunct services become attack surface. Review and clean up every 90 days.

When to hire help

• You've never configured your firewall (it's running on defaults).
• You don't know what ports are open on your network.
• You're required to meet compliance standards (HIPAA, PCI, etc.).
• You've had a security incident or near-miss.
• You need multiple locations connected securely.
• Your current firewall is over 5 years old.

A firewall isn't a "set it and forget it" device. It needs configuration, monitoring, and maintenance. Budget for ongoing management, not just the hardware.