Firewalls fall into four broad categories: packet filters, circuit level gateways, application level gateways and tasteful multilayer inspection firewalls.

Packet filtering firewalls work at the network level of the OSI model, or the IP layer of TCP/IP. They are usually part of a router. A router is a device that receives packets from one network and forwards them to another network. In a packet filtering firewall each packet is compared to a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can drop the packet, forward it or send a message to the originator. Rules can include source and destination IP address, source and destination port number and protocol used. The advantage of packet filtering firewalls is their low cost and low impact on network performance. Most routers support packet filtering. Even if other firewalls are used, implementing packet filtering at the router level affords an initial degree of security at a low network layer. This type of firewall only works at the network layer however and does not support sophisticated rule based models. Network Address Translation (NAT) routers offer the advantages of packet filtering firewalls but can also hide the IP addresses of computers behind the firewall, and offer a level of circuit-based filtering. Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP. They monitor TCP handshaking between packets to determine whether a requested session is legitimate. Information passed to remote computer through a circuit level gateway appears to have originated from the gateway. This is useful for hiding information about protected networks. Circuit level gateways are relatively inexpensive and have the advantage of hiding information about the private network they protect. On the other hand, they do not filter individual packets.

Application level gateways, also called proxies, are similar to circuit-level gateways except that they are application specific. They can filter packets at the application layer of the OSI model. Incoming or outgoing packets cannot access services for which there is no proxy. In plain terms, an application level gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through. Because they examine packets at application layer, they can filter application specific commands such as http: post and get, etc. This cannot be accomplished with either packet filtering firewalls or circuit level neither of which knows anything about the application level information. Application level gateways can also be used to log user activity and logins. They offer a high level of security, but have a significant impact on network performance. This is because of context switches that slow down network access dramatically. They are not transparent to end users and require manual configuration of each client computer.

A network Firewall is some dedicated hardware or software that tries to prevent unauthorized access of outside network traffic to individual computers (personal firewall) or to a group of computers. Some firewalls also block the outflow of data 'packets' from unauthorized programs in the protected computer.

Firewalls typically adopt one or more of the following methods to secure traffic flowing in and out of a computer/group of computers,

Network Address Translation (NAT) - works from within a network router to translate the service provider's assigned IP address to multiple addresses within the internal network. This hides the IP address of each individual computer in the network from scanners software in the internet.

Packet Filtering - inspects each packet of network data going in and out of the firewall (packet filtering is usually hardware implemented) and accepts or reject packets based on a configured set of access policy. Most network routers implement some sort of packet filtering, it’s cheap and fast but difficult to configure for heightened levels of security. This is because packet filters looks at source & destination IP addresses, ports and protocols but not at content or purpose of the packets (e.g. it does not does not know that the packet is an outgoing Outlook email).

Stateful Packet Inspection (SPI) - instead of inspecting each data packet independently, SPI filtering looks at certain characteristics of flow of data packets and compares against its sets of configured rules. This allows more intelligent decision but usually requires user intervention from within the firewall software.

Application Level Proxy Server - a software solution where an intermediary application secures the data traffic going in and out of a system from a particular application. When an application needs to send data to the internet, the proxy servers performs the connection and pass/fails the transaction based on earlier user configuration. As the process is done on a proxy server (internal or external), network performance always degraded.

The potential damages caused by stolen personal info like credit-card information far outweighs the purchase price of today's good Firewall software or hardware, its essential that you carefully select a good firewall and learn to set it up correctly.

The price difference between an inadequate firewall and a robust, effective firewall is minimal. It is more important to properly configure a good firewall than to buy the most expensive or complex.

Personal - If you just have one computer directly accessing the internet via a modem (Broadband connections are more susceptible to intrusions due to its always connected nature), it most cost effective to just use a good firewall software on that computer. A good software firewall is already configured to protect you from known threats and is updated automatically to tackle new threats. You may also want to consider proven firewall and antivirus suites . Save you money and easier configuration via a single user menu.

Small Office - If you have more than one computer that needs internet access in your office or home, you would most likely have some firewall like features built into your router. All hardware firewalls uses Network Address Translation (NAT) that shields internal network computers from the internet.

Alternatively, you can also install a software network firewall on your network access computer - gives much more control of firewall features.

Unfortunately, a hardware firewall does not provide much protection from worms, spy wares or Trojans that can shift confidential and damaging data out of one of your computers. You would need a software firewall on each individual computer for adequate protection these days.

Traveler - A software firewall is almost the only choice for notebook users - lugging an external firewall + power supply defeats having one of those nice Pentium-M lightweights. Also, software firewalls can be updated with tighter security features as fast as new threats surfaces. Many of today's security threats come from application level embedded codes (from emails or websites) that send confidential data to an external party. 

A computer Firewall protects networked computers from intentional hostile intrusion that could compromise confidentiality or result in data corruption or denial of service. It may be a hardware device or a software program running on a secure host computer. In either case, it must have at least two network interfaces, one for the network it is intended to protect, and one for the network it is exposed to. A network firewall sits at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet. The earliest computer firewalls were simple routers. The term "firewall" comes from the fact that by segmenting a network into different physical sub networks, they limited the damage that could spread from one subnet to another - just like fire doors or firewalls.

An Internet firewall examines all traffic routed between your network and the Internet to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A network firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their source, destination addresses and port numbers. This is known as address filtering. Firewalls can also filter specific types of network traffic. This is also known as protocol filtering because the decision to forward or reject traffic is dependant upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state.

There are two access denial methodologies used by computer firewalls. A firewall may allow all traffic through unless it meets certain criteria, or it may deny all traffic unless it meets certain criteria. The type of criteria used to determine whether traffic should be allowed through varies from one type of firewall to another. Computer Firewalls may be concerned with the type of traffic, or with source or destination addresses and ports. They may also use complex rule bases that analyze the application data to determine if the traffic should be allowed through. How a computer firewall determines what traffic to let through depends on which network layer it operates at.

Firewalls protect private local area networks (LANs) from hostile intrusion from the Internet. Consequently, firewall protection allows many LANs to be connected to the Internet where Internet connectivity would otherwise have been too great a risk.

Firewalls allow network administrators to offer access to specific types of Internet services to selected LAN users. This selectivity is an essential part of any information management program, and involves not only protecting private information assets, but also knowing who has access to what. Privileges can be granted according to job description and need rather than on an all-or-nothing basis.

TheFirewallis an integral part of any security program, but it is not a security program in and of itself. Security involves data integrity, service or application integrity, data confidentiality and authentication. Firewalls only address the issues of data integrity, confidentiality and authentication of data that is behind the firewall. Any data that transits outside the firewall is subject to factors out of the control of the firewall.

Many firewalls examine the source IP addresses of packets to determine if they are legitimate. A firewall may be instructed to allow traffic through if it comes from a specific trusted host. A malicious cracker would then try to gain entry by "spoofing" the source IP address of packets sent to the firewall. If the firewall thought that the packets originated from a trusted host, it may let them through unless other criteria failed to be met. Of course the cracker would need to know a good deal about the firewall's rule base to exploit this kind of weakness. This reinforces the principle that technology alone will not solve all security problems. Responsible management of information is essential. One of Courtney's laws sums it up: "There are management solutions to technical problems, but no technical solutions to management problems".

A firewall cannot prevent individual users with modems from dialing into or out of the network, bypassing the firewall altogether. Employee misconduct or carelessness cannot be controlled by firewalls. Policies involving the use and misuse of passwords and user accounts must be strictly enforced. These are management issues that should be raised during the planning of any security policy but that cannot be solved with firewalls alone.

It is therefore necessary for an organization to have a well planned and strictly implemented security program that includes but is not limited to firewall protection.

On a computer, the firewall acts much like a guard when it looks at network traffic destined for or received from another computer. The firewall determines if that traffic should continue on to its destination or be stopped. The firewall ¡°guard¡± is important because it keeps the unwanted out and permits only appropriate traffic to enter and leave the computer.

To do this job, the firewall has to look at every piece of information ¨C every packet ¨C that tries to enter or leave a computer. Each packet is labeled with where it came from and where it wants to go. Some packets are allowed to go anywhere while others can only go to specific places. If the firewall allows the packet to proceed (being acceptable according to the rules), it moves the packet on its way to the destination. In most cases, the firewall records where the packet came from, where it¡¯s going, and when it was seen.

The firewall can check whether a given packet should pass, allowing the computer¡¯s user to respond to unanticipated network traffic. Finally, firewalls can filter packets based not only on their point of origin or destination, but also on their content. 

With a firewall, you can control which packets are allowed to enter your home computer and which are allowed to leave.

Firewall - Personal Firewall - Firewall Download - Firewall Software - Firewall Protection