A firewall is the first line of defense for basic network security. It is usually a separate device that sits between the untrusted network (the Internet) and the trusted network (the intranet). The role of a firewall is to stop unauthorized access of information in the trusted network by individuals on the untrusted network, but allow defined access from the trusted to the untrusted.
An analogy for a firewall is a moat around a castle with the drawbridge being the firewall device. The drawbridge is controlled by guards who only allow certain traffic in, usually after inspecting it, and will allow outbound traffic if it has permission.
There is usually a third network commonly referred to as the DMZ or Demilitarized Zone. This network is separate from both the others, but it can communicate with both. This is a semitrusted area that is protected by the firewall, so only certain traffic can come in. Any traffic coming from the DMZ into the trusted network must abide by strict rules, so errant requests are denied. There are three physical network ports on a DMZ-enabled firewall, one for each network.
Figure 17 shows a firewall with a DMZ. This is the usual configuration for a firewall.
Figure 17. Firewall with DMZ
Figure 18 shows a more secure firewall configuration. The reason for having two firewall devices from different manufacturers is two-fold. First, having only one device means that any bugs or security holes in the firewall software could allow direct connection between the untrusted and trusted networks. Second, using different manufacturers' hardware/software combinations stops hackers from using the same exploit or security hole on both devices.
Figure 18. Secure firewall configuration
Firewalls can be implemented in either hardware or software. A hardware firewall is a machine that has a proprietary operating system and software for providing the service. Any patches provided by the firewall supplier should be applied as soon as possible to minimize the risk of attack.
A software firewall is a program that is loaded onto a general-purpose computer, usually a PC, to provide the service. To be effective, software firewalls rely on the underlying operating system to be secure, so you should make sure that all the operating system manufacturer's patches are applied along with any updates to the firewall software. You should avoid running anything else on a software firewall's host machine. Some software firewalls do not use an underlying general purpose operating system; they use standard hardware, but load their own proprietary operating system along with the firewall software.