There is not a single firewall which can not be penetrated. The basic reason behind this is firewall only looks for ports and does not decode the protocol of the data flowing through that port. You can just make your firewall stronger not 100% penetration-proof.. First instead of blacklist of ports to be blocked, maintain the white list of ports to be allowed. You can embed NBA(Network behavior analysis) module to make firewall take more intelligent actions.
You need to use advanced IDS systems to decode application level protocols to take care of shortcomings.
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download