Firewalls: a "choke-point" that sits between a private network and the Internet. By funelling all traffic through a single point, it is much easier to defend the private network from attacks from the Internet.
The purpose of firewalls is to defend from unauthorized access. However, care should be taken in understanding their capabilities. They are a static defense, much like a fence around a house. They do not detect intrusions nor respond to them. That is the job of an intrusion detection system (IDS).
A recent study by the Computer Security Institute found that about 30% of large corporations with firewalls are still hacked. Moreover, firewalls do not protect against internal mischief, which accounts for about 80% of corporate losses due to hacking. Firewalls are only the first stage of defense.
The simplest firewall is a packet filter with the ruleset that allows only outgoing TCP connections. In particular, this would filter out UDP traffic, ICMP traffic, and incoming TCP segments without the ACK bit (which only occurs when a TCP connection is established). Virtually all routers these days support such a configuration. In some cases, rules are added to allow incoming SMTP (e-mail) and web traffic.
This configuration allows for web surfing, e-mail, and FTP traffic, but restricts most other applications. Every year, as new Internet applications are developed, firewall vendors add new features to support them. Firewalls are becoming very complex devices. A big concern of firewall administrators is how to tunnel applications through the firewall, such a video conferencing and home access to the corporation (VPN).
Beyond packet filtering, there are several other technologies available, such as NAT, Stateful Packet Filter (SPF), and Proxies.
