Why Your Firewall Strategy Needs a Rethink in 2020

Last year, I worked with a Fortune 500 client on what they called a "global perimeter rationalization." Translation: they had dozens of firewall platforms across hundreds of sites, and nobody could tell you with confidence what was actually being enforced where. We spent months evaluating next-gen firewalls, network IDS, web filtering, TLS inspection, load balancers, DLP, and CASB solutions. The technical work was solid. But the real finding wasn't about any specific product — it was that the entire concept of "perimeter" had shifted underneath them while they were busy managing firewall rules.

If your 2020 security strategy still starts and ends with the firewall, this post is for you.

The Perimeter Isn't Where You Think It Is

Here's a question I ask clients early in every engagement: *Where does your network end?*

Five years ago, the answer was straightforward. You had a WAN edge, a DMZ, maybe some branch offices connected by MPLS. Your firewall sat at the boundary between trusted and untrusted, and life was relatively simple.

That model is breaking down. Not because firewalls stopped working, but because the definition of "inside" and "outside" changed.

Your SaaS applications live in someone else's data center. Your developers are pushing code to cloud infrastructure that never touches your on-prem network. Your remote workers are VPN-ing in from coffee shops, or worse, connecting directly to cloud services and bypassing your perimeter entirely. That branch office you painstakingly connected via MPLS? Half its traffic is going straight to the internet via SD-WAN now.

The firewall is still doing its job. The problem is that its job covers a shrinking percentage of your actual attack surface.

Next-Gen Firewalls: Necessary, Not Sufficient

Let me be clear — I'm not here to tell you firewalls are dead. That's lazy analysis, and it's wrong.

I run a Palo Alto PA-220 in my own network. I use it for network segmentation, zone-based policy enforcement, and traffic inspection. It's a fantastic piece of engineering. In enterprise environments, next-gen firewalls with application awareness, user-ID integration, and TLS inspection remain critical. I've evaluated most of the major platforms — Palo Alto, Fortinet, Check Point, and others — and the capabilities have genuinely improved.

But here's what I keep seeing in the field: organizations treat their NGFW deployment as *the* security architecture rather than *a component of* the security architecture. They pour budget into the latest appliance refresh, configure a few hundred rules, stand up some zones, and call it done. Meanwhile, 60% of their sensitive data has migrated to SaaS platforms that the firewall never sees.

The NGFW handles north-south traffic at your perimeter. That's important. But if you're not also thinking about east-west traffic within your network, cloud workload protection, and identity-based access control, you've got significant blind spots.

Log Everything, Segment Everything

If there's one tactical recommendation I give every client, it's this: get your logs aggregated and your network segmented before you buy anything else.

I've set up ELK stacks that aggregate firewall logs, endpoint data, and application events into a single pane of glass. The insights you get from correlating firewall deny logs with authentication events and DNS queries are worth more than most "AI-powered" security tools on the market. You can't protect what you can't see, and most organizations can't see nearly enough.

Segmentation is the other half. I architect networks with explicit trust zones — not just "inside" and "outside," but granular segments for different business functions, IoT devices, guest networks, and management planes. If an attacker gets past your firewall (and eventually, someone will), segmentation is what limits the blast radius.

This isn't glamorous work. Nobody's writing press releases about proper VLAN design and zone-based policy. But in twenty years of doing this, I can tell you that the organizations with mature segmentation and centralized logging consistently fare better in incident response than the ones with the shiniest firewall appliance.

SASE: The Buzzword That Actually Matters

Gartner introduced the term "Secure Access Service Edge" — SASE — in mid-2019, and by now you've probably seen it in every vendor pitch deck. Here's why I think it's worth paying attention to, despite the hype.

SASE is essentially the recognition that network security and network connectivity need to converge, and that convergence is happening in the cloud. Instead of backhauling all your traffic through a central firewall, you push security enforcement to the edge — close to the user, close to the application, wherever that happens to be.

The practical implication: rather than a single chokepoint firewall at your data center, you have distributed security policy enforcement that follows the user. VPN gives way to zero-trust network access. Hardware firewalls give way to cloud-delivered security services. Centralized inspection gives way to distributed inspection.

Is it ready for prime time in January 2020? For most enterprises, not entirely. The vendors are still assembling the pieces, and the "single vendor SASE" story is more marketing than reality right now. But the architectural direction is sound, and organizations that start planning for this shift now will be ahead of the curve.

If you're in the middle of a firewall refresh cycle or WAN transformation, this is the time to evaluate whether your next investment should be hardware at the perimeter or services at the edge.

What a Modern Firewall Strategy Actually Looks Like

So if the answer isn't "rip out all your firewalls" and it isn't "buy bigger firewalls," what does a modern approach look like? Here's the framework I use with clients:

1. Maintain strong perimeter controls, but right-size them. Your NGFW isn't going away. But it might not need to be the $500K cluster at your data center if most of your workloads are heading to the cloud. Match the investment to the traffic it's actually inspecting.

2. Invest in segmentation and east-west visibility. Micro-segmentation, internal firewalls, and network detection tools for lateral movement. This is where the next breach gets contained — or doesn't.

3. Centralize your logging. Whether it's ELK, Splunk, or a cloud SIEM, get your firewall logs, endpoint telemetry, and identity events into one place. Build detection rules that correlate across sources. Hire analysts who know how to read them.

4. Start your zero-trust journey. You don't have to boil the ocean. Pick one application or one user population and implement identity-aware access control that doesn't depend on network location. Learn from it. Expand from there.

5. Evaluate SASE for your next refresh cycle. Don't rip and replace today, but make sure your three-year roadmap accounts for the shift to cloud-delivered security. When your current firewall contracts come up for renewal, you want options.

6. Audit what you have. I can't count the number of firewall rule bases I've reviewed that had rules dating back a decade, created by people who left the company years ago. Stale rules are technical debt with security implications. Clean house.

Moving Forward

The firewall isn't dead, but the firewall-centric security model is on life support. The organizations that will be best positioned in 2020 and beyond are the ones treating the firewall as one layer in a defense-in-depth strategy — not the whole strategy.

If you're staring down a firewall refresh, a cloud migration, or just the nagging feeling that your security architecture hasn't kept pace with your IT architecture, take a step back and rethink the fundamentals. The technology choices will follow.

The perimeter has moved. Your security strategy should too.

--- *Aaron Smith is the founder and principal consultant at [PhenomSec](https://phenomsec.com), a cybersecurity consulting firm based in Portland, OR. With over 20 years of experience in enterprise security architecture, he helps organizations navigate the gap between where their security is and where it needs to be. Got a firewall strategy question? [Reach out](https://phenomsec.com/contact) — no pitch, just a conversation.*