The name firewall comes from a common architectural practice of placing a brick wall between two structures, to prevent a fire in one from spreading to the other. That’s a useful way to think of what a security firewall does: it provides a barrier to control network traffic both into and out of an organization’s Internet-connected network, or perhaps between different segments of an internal network.
Firewalls can take many forms, from dedicated appliances, to software that runs on general-purpose servers, or as part of a multi-function security appliance. Generally the firewall has two network interfaces: one for the external side of the network, one for the internal side. Its purpose is to control what traffic is allowed to traverse from one side to the other.
As the most basic level, firewalls can block traffic intended for particular IP addresses or server ports. Typically, companies set up their firewalls to allow incoming connections to port 80, which is the standard port for use by Web servers. This allows visitors to get at a coporate web site, for example, but “untrusted” traffic intended for some other port would be denied access. Untrusted means the origin of the traffic is uknown. Company employees who have proper credentials, such as a username and password, would be allowed access via a secure connection, typically a virtual private network.
Traffic from the trusted inside of the network would be allowed to traverse the firewall and connect to the Internet, allowing users to employ services such as email and FTP.
When configured correctly, firewalls also provide protection against threats including denial of service (DOS) attacks. DOS attacks occur when an intruder tries to barrage a corporate web site with a flood of traffic, so much so that it brings the web server down and, potentially, allows the intruder to break into it. From there, the intruder may be able to access other network resources.
More complex firewalls support “stateful inspection” techniques, where the firewall looks at patterns in traffic flows to identify anomalies that suggest some form of attack is underway, such as DOS attacks or spoof attacks, where an intruder tries to masquerade as a trusted resource.
In practice, most companies deploy two firewalls to create a DMZ, or demilitarized zone. One firewall connects to the Internet while the other connects to the internal network. In between the two is the DMZ, where companies put their public-facing Web servers. The idea is that, even if an intruder succeeds in hacking into the Web server, such as via a DOS attack, the second firewall will prevent him from accessing the private corporate network.
In a similar fashion, companies can configure multiple firewalls inside their corporate network to essentially divide the network into multiple segments. That helps contain the damage should some form of worm or other malware be unleashed in any given segment.