Zero Trust Security and the Role of Firewalls — What to Look For
I’ve been around this industry long enough to recall when firewalls were simplistic packet filters — glorified doormen checking IDs at the door. That was the ‘90s. That was a long time ago, and much has changed, especially with Zero Trust emerging as the cybersecurity Gold Standard.
Two weeks ago, I was working with three banks on their Zero Trust architecture updates. They all had the same question: Where do firewalls come into all this? Spoiler alert—firewalls underlie Zero Trust. Of course, not every firewall is made equal.
So, let’s break it down.
What is Zero Trust Security?
Unlike the traditional security model, Zero Trust turns it on its head. The old way — castle-and-moat security — assumed that anything inside the network was safe. But we all know that’s hilariously outdated (thank you, ransomware gangs).
In contrast, Zero Trust follows but a simple, unyielding principle: Trust no one, verify all.
That means:
- Nobody has automatic access, not even those already in the network.
- Real-time verification of users, devices, applications, and traffic.
- Least privilege access — if you can access something, it doesn’t mean you should.
- Micro-segmentation to contain an attacker if they do get inside.
Sounds good, right? But here’s the thing: Zero Trust is not a product you can just buy on a shelf. It’s a framework, a mindset. And firewalls are a big part of what makes that work.
The Role of Firewalls in a Zero Trust Architecture
Firewalls are no longer just perimeter defenses (I had a traditional network perimeter). They serve as gatekeepers, applying Zero Trust principles to surveil and control traffic across multiple layers.
Here’s how they fit in:
1. Enforcing Least Privilege
Firewalls manage access to granular levels — user, device, application. You don’t simply let traffic flow through because it appears normal. You explicitly permit only what is needed and deny everything else by default.
2. Micro-Segmentation
For one huge network = a hacker’s paradise. You segment everything instead of doing it.
- Critical databases should not mix with user networks.
- IoT devices? Admin traffic is distinct from corporate traffic (the IoT security problem would be a nightmare, but that’s in another rant).
- Third parties? Isolate them. Believe me — you do not want a vendor compromise taking down your whole company (ask Target how that worked out in 2013).
3. Deep Packet Inspection (DPI) and SSL Decryption
Attackers like to hide in encrypted traffic. Without the ability to decrypt and inspect SSL/TLS traffic, a modern firewall is blind to threats.
4. Identity-Based Policies
Firewalls today work with identity providers (yes, Active Directory, LDAP, Okta). Rather than simply blocking traffic by IP, they implement rules based on who the user is, where they’re at, and what device they’re using.
5. Continuous Monitoring and Analytics
When it comes to a Zero Trust firewall, it’s not stopping bad stuff from happening; it’s analyzing traffic all the time, determining what’s anomalous and letting you know what might be interesting behavior to further investigate.
And if you’re thinking about an AI-powered firewall, you’d best do so carefully. Lots of AI hype, but real-life effective AI-driven security? Still in its early days.
How Do You Select the Right Firewall?
Not every firewall is designed for Zero Trust. Other vendors put a Zero Trust sticker on legacy technology—don’t get sold on that. Here’s what to watch for:
1. Layered Security Capabilities
A good firewall needs to do much more than just packet filtering! It should offer:
- Application-layer filtering (filtering by app, not just ports)
- Intrusion prevention (IPS) (to block known attack patterns)
- Threat intelligence feeds (updates on emerging threats)
- SSL inspection (no, really, this is mandatory)
2. Integration with IAM (Identity Access Management)
Your firewall should integrate well with whichever IAM solution (Azure AD, Okta, etc.) you use to enforce user and role-based access.
3. Secure SD-WAN Capabilities
A Secure SD-WAN firewall helps ensure Zero Trust enforcement on traffic between sites if your business operates with multiple sites or hybrid workforces.
4. Cloud Compatibility
If you are moving workloads to the cloud, look for a firewall that addresses hybrid and multi-cloud security. There are so many businesses I work with that don’t realize until it’s too late that their firewall was never designed to operate in the cloud.
5. Automated Response & Threat Intelligence
Your firewall needs to go beyond just detecting a threat, it needs to respond automatically, whether that means isolating a compromised device or automatically blocking a known bad actor in real-time. Manual intervention shouldn’t be the final line of defense.
Zero Trust Solutions from PJ Networks & Fortinet
Here at PJ Networks we specialize in security architecture and have assisted many businesses and banks in augmenting their Zero Trust frameworks. Stay secure with our Fortinet Next-Gen Firewall S03: Secure Boundary.
Why Fortinet? Here’s why we stand by them:
- Built-in Zero Trust Network Access (ZTNA)
- AI-driven threat intelligence (yes, I just tore AI-powered security a new one, but Fortinet actually gets this one right)
- Seamless Integration With IAM, SD-WAN, And Cloud Security
- Best-in-class SSL inspection without destroying performance
- World-class segmentation functionality
The second upgrade process I went over for those banks resulted in immediate benefits including improved traffic visibility, stronger access controls, and faster reaction to threats.
Quick Take
In a hurry and don’t have time to read the full thing? Here’s the TL;DR:
- Zero Trust: Trust no one, verify everything.
- Firewalls: These are a fundamental component of Zero Trust, applying strict access control and monitoring all traffic.
- There are four features that the right firewall should deliver: deep inspection, segmentation, identity integration, and real-time threat response.
- Zero Trust is baked into Fortinet’s firewalls out of the box — and it works.
Conclusion
Firewalls aren’t dead. For a true Zero Trust strategy, in fact, they’re more vital than ever. But they must be current, flexible, and identity-aware.
A standard firewall is no longer sufficient. If you are serious about Zero Trust, (and you should be in today’s threat landscape) don’t let your firewalls just filter traffic. They have to be an essential component of your Zero Trust architecture — enforcing least privilege, protecting identities, and monitoring in real-time.
And if you’re still running an outdated firewall that ignores encrypted traffic? We need to talk.