The term firewall conjures up visions of a barrier that blocks flames from spreading from one area to another.
In a sense the term is appropriate; a firewall--either a hardware device or a piece of software--controls access between your computer or network and other networks, such as the Internet. Unlike a conventional firewall, a network firewall doesn't close off all access to an area, it lets some traffic through while blocking access to other traffic. Perhaps a better way to think of a firewall is a wall of hydrants on a large skyscraper. Each hydrant represents a port. Just as firefighters connect hoses to some of the hydrants while leaving others unused, so network administrators allow users to connect to specified ports while blocking access to others. In both cases, only authorized personnel can access the on/off mechanisms.
In firewall terminology, your computer or network is considered "trusted" while other networks, like the Internet, are considered "untrusted." Most firewall solutions use rules to manage what activity is and isn't allowed. The rules you set up can enable your company to work with another business, keep your young kids off the Internet, or keep hackers out. Each port can have authorized or unauthorized uses. The trick is to enable authorized traffic without compromising the security of your network.
Given the increasing frequency and sophistication of unauthorized uses, if your computer connects to other computers, you need a firewall. Firewalls come in many types: Home users with a single computer and an Internet connection can get by with a simple software program, such as ZoneLabs ZoneAlarm; large enterprises need dedicated firewall hardware that maintain security while allowing lots of data to flow in and out.
Before choosing a firewall, note that there are two common types. Packet-filtering firewalls operate at the network layer. Positioned between your computer or network and the outside world, packet-filtering firewalls examine data packets and compare information in packet headers with the rules you've set up. Application-proxy firewalls work at the application layer. Users on the trusted network or computers must access the application-proxy firewall first to obtain access to the outside world. Rules on the application-proxy firewall determine which users and applications are authorized. All other activity is blocked.
Many firewalls combine both packet filtering and application-proxy services. Businesses may want to select one of these solutions both to protect the company and to manage internal user activity. Many business firewalls also include content blocking and logging facilities, which control what workers can do on company time.
Hardware or software?
We talked a bit earlier about software-based personal firewalls for consumers. There are also enterprise-grade firewall software solutions, but many businesses and users with home networks may wish to install and use a hardware-based firewall. These devices are especially handy in small business and SOHO networks.
Another option for budget-minded businesses and home users with networks is a dual-NIC firewall. It can be set up using a PC with two network cards. One network card routes traffic to and from the trusted network while the other card routes (or doesn't route) traffic from untrusted networks. Here again, you can define rules.
There is one other wrinkle to consider when choosing firewall technology for home or work. While you certainly want to protect your private (trusted) network or computers, you may also wish to make some services visible to outsiders. You want your Web site's features to be seen, but you hardly want to make your entire network visible to the outside world just to get visitors.
