Blog

What Your Firewall Doesn’t Tell You

A black box, which represents a lack of network visibility

Your firewall is dutifully logging every connection attempt, blocking malicious traffic, and generating alerts. But here’s the uncomfortable truth: those logs are only telling you half the story. While firewalls excel at perimeter defense, they’re operating with a fundamentally limited view of your network that leaves critical blind spots in your security posture. 

For NetOps and SecOps teams tasked with detecting sophisticated threats and maintaining network visibility, relying solely on firewall logs is like trying to investigate a crime scene with only a partial witness statement.

The Firewall’s Fundamental Limitation 

Firewalls operate on a simple principle: evaluate traffic against rules and log the decisions. When a connection is established, your firewall dutifully records that it happened. But that’s where the story ends. You know something occurred, but you’re missing crucial context. 

Consider a typical firewall log entry: “Connection from 192.168.1.100 to 10.0.0.50 on port 443 – ALLOWED.” This tells you a connection was permitted, but it doesn’t tell you: 

  • How long did this connection last? Was it a quick status check or a sustained data transfer? 
  • How much data was transferred? Are we talking about a few kilobytes or gigabytes? 
  • What was the actual path this traffic took through your network? 
  • What applications were communicating over this connection? 

Without this context, you can’t form a complete picture of the event. 

The Investigative Struggle of Historical Incidents 

This limitation becomes particularly painful when investigating incidents that occurred months ago. Picture this scenario: your threat intelligence team receives an indicator that a specific IP address was associated with a sophisticated APT campaign six months ago. You need to understand if your organization was compromised and what the attackers might have accessed. 

Your firewall logs might show that connections to that IP were allowed, but that’s where the trail goes cold. You can’t determine if sensitive data was exfiltrated, which internal systems were accessed, or how long the attackers maintained their presence. The firewall log is a single data point in what should be a comprehensive investigation timeline. 

Even worse, organizations often rotate or archive firewall logs with limited retention periods due to storage constraints. The very evidence you need to conduct a thorough investigation may no longer exist, leaving you to report to executive leadership that you simply cannot determine the scope or impact of a potential breach. 

Designed for Perimeter Defense, Not Internal Threats 

Firewalls formed a more complete defense when network perimeter was well-defined and threats primarily came from outside the organization. They excel at making binary decisions about traffic crossing network boundaries: allow or deny based on source, destination, port, and protocol. 

But today, this perimeter-focused approach creates significant blind spots. Once an attacker gains initial access to your network—whether through phishing, credential theft, or exploiting a vulnerability—they operate largely within the firewall’s trusted zone. The firewall that vigilantly blocked their initial attempts now becomes irrelevant to their activities. 

Consider lateral movement, where an attacker pivots from their initial foothold to explore and compromise additional systems. These movements often occur entirely within network segments that the firewall considers trusted. Server-to-server communications, workstation-to-file-share access, and administrative connections between systems all happen in the firewall’s blind spot. From the firewall’s perspective, these look like legitimate business traffic because they use legitimate protocols and ports. 

Similarly, insider threats operate from within the trusted perimeter by definition. When a disgruntled employee begins accessing sensitive data they shouldn’t, or when an attacker exfiltrates data with a compromised user account, these activities generate minimal firewall logs. The firewall sees normal traffic patterns from authorized users on trusted systems, completely missing the malicious intent behind the connections. 

This fundamental mismatch between firewall design and modern threat vectors means that the most dangerous and persistent threats—those that operate from within your network—are precisely the ones that generate the least meaningful firewall log data. 

Gaining The Missing Context 

Flow data, on the other hand, captures the complete story of network communications. Unlike firewall logs that focus on allow/deny decisions, flow records provide comprehensive metadata about every conversation happening on your network. This includes connection duration, byte counts, packet timing, and protocol details that paint a complete picture of network behavior. 

Detecting Lateral Movement 

Lateral movement remains one of the most challenging threats to detect because it often occurs over legitimate protocols and ports. An attacker who has gained initial access will move carefully through your network, using authorized services and protocols to avoid detection. 

Firewall logs might show a series of legitimate connections from a compromised host to various internal servers. Each individual connection appears normal, but flow data reveals the pattern: short-lived connections to multiple systems, unusual timing patterns, or data flows that don’t match typical user behavior. The context provided by flow data allows you to identify these subtle patterns that would be invisible in firewall logs. 

Uncovering Insider Threats 

Insider threats are particularly insidious because they operate from within your trusted perimeter. Traditional firewall logs offer little help here since the traffic originates from legitimate users on authorized systems. 

Flow data, however, reveals behavioral anomalies that indicate malicious insider activity. An employee suddenly accessing file shares they’ve never before touched, downloading unusually large amounts of data, or establishing connections to systems outside their normal work pattern—these behaviors become apparent when you can analyze the full context of their network activity over time. 

Data Exfiltration Over Permitted Ports 

One evasion technique involves exfiltrating data over ports and protocols that firewalls would normally allow. Port 443 traffic, for example, is typically permitted outbound for legitimate HTTPS connections. But attackers can tunnel data through these same connections to avoid detection. 

Flow data enables advanced detection techniques like JA3 fingerprinting, which analyzes the unique characteristics of TLS handshakes to identify suspicious applications masquerading as legitimate traffic. While your firewall sees normal HTTPS traffic, flow analysis can detect that the TLS fingerprint doesn’t match any known legitimate application, indicating potential data exfiltration. 

Internal Traffic Visibility 

Firewalls excel at controlling north-south traffic crossing network boundaries, but they provide limited visibility into east-west traffic within your network. Internal threats like DNS flooding attacks, peer-to-peer communications, or unauthorized service discovery often occur entirely within your network perimeter. 

Flow data captures all network communications, regardless of whether they cross firewall boundaries. This comprehensive view allows you to detect internal threats like DNS flooding, where compromised systems generate excessive DNS queries to overwhelm internal servers or exfiltrate data through DNS tunneling. 

The Operational Reality: Log Analysis Challenges 

Beyond the technical limitations, firewall logs present significant operational challenges for security teams. Parsing through massive volumes of firewall logs is time-consuming and often yields incomplete insights. Each log entry represents a discrete event without broader context, making it difficult to identify patterns or conduct meaningful analysis. 

Flow data, conversely, provides structured, searchable records that enable rapid analysis and correlation. Security analysts can quickly query flow data to understand traffic patterns, identify anomalies, and trace the complete path of suspicious communications. This operational efficiency is crucial when responding to security incidents where time is of the essence. 

Retrospective Forensics at Scale 

When a security incident occurs, your ability to conduct thorough forensic analysis depends entirely on the quality and completeness of your historical data. Firewall logs can tell you what your firewall was configured to log at the time, but they can’t provide context about the broader network activity surrounding an incident. 

Flow data, however, enables retrospective forensics at scale. It allows you to analyze months-old communications with the same level of detail as current traffic. This capability is invaluable for understanding the full scope of an incident, identifying patient zero, and tracing the complete attack timeline. 

Consider a scenario where you discover a data breach and need to understand exactly what was compromised. Firewall logs might show that connections were allowed to various servers. But flow data reveals which specific files were accessed, how much data was transferred, and the complete network path the attacker used to exfiltrate information. 

The Path Forward: Complementary Visibility 

The goal isn’t to replace firewall logs, but to complement them with the rich context that flow data provides. Firewalls remain essential for perimeter defense and access control, but they represent just one layer of your security architecture. 

Modern security operations require comprehensive visibility into network behavior, not just firewall decisions. By combining firewall logs with flow data, you gain both the policy enforcement visibility that firewalls provide and the behavioral context necessary for advanced threat detection. 

Flow data transforms your network from a black box into a transparent environment where you can detect, investigate, and remediate threats. 

For a deeper look at how flow data can complement your current security approach, book a personalized Plixer One demo with one of our engineers.  

Related

Nodes of information in a network with varying levels of detail, representing packet capture and flow analysis

Packet Capture vs. Flow Data: Striking the Right Balance

From detecting security threats to troubleshooting elusive performance issues and meeting compliance demands, understanding what’s happening on your network is essential.   To achieve

A series of padlocks within a network environment, representing Zero Trust

What is Zero Trust? Principles, Implementation, and Challenges

As traditional perimeter-based defenses prove inadequate against today’s cyber threats, Zero Trust offers a flexible and comprehensive model grounded in the principle of “never

Digital shield with many hairline cracks, representing security debt

The Growing Risk of Security Debt

Security debt is emerging as a critical concern for IT and security teams. As businesses rapidly adopt new technologies, many carry forward legacy systems,