"We are all... lucky that something hasn't obliterated IT on earth... Firewalls are like retarded routers. They just look at the ports, sources and destinations they like. If a train comes from Gare du Nord [Paris] to Waterloo [London] via Eurostar you allow it to enter the country because you trust it. That's what firewalls currently do. They don't check to see if al-Quaeda is riding inside." - Microsoft security technology architect Fred Baumhardt.
Such feelings are echoed in the IT world often these days, that basically firewalls are not that smart. At least, they are not often that smart. Here is one example. Basically, you could try to ban FTP by blocking port 21 on your firewall. But if you have port 22 open for ssh access, then its possible and indeed very easy for the FTP service on a target server to be altered to operate on port 22 instead of port 21. The firewall will then allow FTP access on port 22 to this host, because it does not check the actual content (or protocol) involved, it only blocks ports. Thusly, one might exploit the fact that port 80 is often left open for HTTP, and use that port to transport a different (and potentially unwanted) type of traffic. Obviously, many firewall admins have taken steps to deal with this, but this kind of problem is abundant.
Baumhardt recommends Microsoft's Internet Security and Acceleration (ISA) Server 2004 as a solution to the problem of a weak firewall. This software, claims Baumhardt, has the ability to run 1.9-gigabit throughput and to scan port traffic at the application layer, which could lead to better transparency.