Firewalls can be complex hardware devices with processors, cooling fans, and memory, but all firewalls are basically defensive and preventive devices that sit between your internal company network and the Internet. Effectively configured, managed, and maintained, firewalls provide great protection against unknown or malicious unauthorized access to your company network while allowing safe, authorized traffic to pass in and out. The firewall accomplishes this by analyzing all the data that passes through it, pre-screening it against special rule sets and attack signatures.
Rule sets are just what they sound like. They’re special rules that you can create to allow or deny specific types of traffic. You can, for instance, create a rule to filter incoming Internet traffic if the traffic is going on TCP port 21 and 22, but to allow incoming traffic on TCP port 53, for instance. If this sounds confusing, it’s really not. Most firewalls also have decent GUI interfaces and help guides to walk you through a secure installation. Rule sets usually use packet filtering and other techniques. The firewall checks packet headers for information and destination and source addresses, destination and source ports, and the contents of the data being transmitted. From this information the firewall can drop or allow traffic at a blistering pace.
Attack signatures are similar to rule sets, but they are usually preset and do not allow you to create your own attack signatures. To do that, you’d need to use something like the Snort Intrusion Detection System. Attack signatures analyze traffic flow for well known types of attacks. These can watch for things like a sudden influx of UDP traffic (a symptom of Denial of Service) and the attack signatures can even identify hidden executable files, perhaps hidden inside PING traffic (this would probably indicate a backdoor on the internal network, at which point everything should be considered compromised.)
Firewalls can be dedicated hardware appliances, or they can be software installed on a computer (with at least two network adapters for Internal and external traffic. The computer would then act as the firewall. To be honest, most firewalls you see today are combinations of software and hardware.
Most businesses small, medium, and large should get a hardware firewall. I really don’t recommend a software firewall. They’re fun to set up for lab environments, and there’s nothing WRONG with them. Linux offers a ton of high quality software firewall packages and they are free! However, the ease-of-setup tradeoff with the cost is something I think most businesses can swallow. Truth is, hardware solutions are so much simpler. Just some names to consider. Barracuda, WatchGuard, and Zyxel all offer great hardware firewalls. Check some of them out.
A firewall is only as good as the IT personnel tasked to deploy and maintain it. It’s critical, and I do mean critical, for the firewall administrators (and anyone else who works on the thing) to LEARN about all of its unique features. You should be able to configure this thing a bunch of different ways and test what works best. You should be able to perform a penetration test against the device to determine how easy it may be for someone malicious to hack into it. Firewall testing like this is another critical part of this equation. You will need to adopt a regular schedule of scanning the firewall and testing it for vulnerabilities. The point is, know the device. I’ll leave it at that.
Ongoing maintenance tends to be easy on firewall appliances like the WatchGuard or Zyxel firewalls. You will do periodic updates to the firmware, and backups of the configuration file. But that’s about it. Hardware firewalls run themselves once you get them set up and configured properly. But keep this in mind, before making ANY configuration changes to the firewall, ALWAYS get a backup beforehand. This will save your ass, I swear. Especially if you make ruleset changes, you want a backup you can quickly restore to if necessary. I can’t tell you the number of times a “simple rule change” on the firewall ends up cutting off Internet access. Trust me, you do not want the corporate weiners bitching in your ears. These guys know how to bitch. It’s impressive. Just get a backup of the firewall before making any changes, and you’re already above a lot of your competition. So many people don’t do backups… It takes 10 seconds. I don’t get it.