What is a firewall?
A firewall is a network security device positioned between two different networks, usually between an organization’s internal, trusted network and the Internet.

What do firewalls do?
A firewall ensures that all communications attempting to cross from one network to the other meet an organization’s security policy. Firewalls track and control communications, deciding whether to allow, reject or encrypt communications. In addition to protecting trusted networks from the Internet, firewalls are increasingly being deployed to protect sensitive portions of local area networks and individual PCs.

Why does an organization need a firewall?
Organizations around the world are embracing the Internet and Internet technologies to forge new and profitable business relationships. Firewalls help organizations balance the openness of the Internet with the need to protect the privacy and integrity of sensitive business communications.

How do firewalls work?
Historically, three different technologies have been used to implement firewalls: Packet Filters, Application-Layer Gateways and Stateful Inspection.

Packet Filters

Packet filters, usually implemented on routers, filter traffic based on packet content, such as IP addresses. They examine a packet at the network layer and are application independent, which allows them to deliver good performance and scalability. They are the least secure type of firewall, however. The reason is that they are not application aware—that is, they cannot understand the context of a given communication, making them easier for hackers to break.

Application-Layer Gateways

Application gateways improve on security by examining all application layers, bringing context information into the decision process. However, they do this by breaking the client/server model. Every client/server communication requires two connections: one from the client to the firewall (which acts as a "proxy" for the desired server) and one from the firewall to the (actual) server. In addition, every application requires a new proxy, making scalability and support for new applications a problem.

Stateful Inspection

Stateful Inspection provides the highest level of security possible and overcomes the limitations of the previous two approaches by providing full application-layer awareness without breaking the client/server model. Stateful Inspection extracts the state-related information required for security decisions from all application layers and maintains this information in dynamic state tables for evaluating subsequent connection attempts. This provides a solution that is highly secure and offers maximum performance, scalability, and extensibility.