You are spot on.
Often getting "in" is easy depending on if the sysadmin is paying attention
,but some tools to help you are employing Dynamic NAT (Network Address Translation)
and a proxy in front.
My issue was that I sometimes use a proxy for a security testing environment, and sometimes new betaware can contain malware.
In this case, Zone alarm did not prevent my download,(which it's not really designed to do) but when then malware attempted to phone home, Zone Alarm caught it.
However, there are many malware rootkits which are very good at hiding.
Most important is to block any IRC ports.
In fact, it's a good idea to disable ALL ports except the ones specifically being used.
There's a bit of Metablade in all of us.