A network device through which network traffic passes, such as (commonly) a router/gateway or (sometimes) a bridge/switch, which can filter or otherwise impose arbitrary restrictions on the traffic. It can therefore be used to present a hurdle for someone sitting on one side of the FireWall and trying to do something unwelcome or malicious to a system on the other side. Commonly, a FireWall is more permissive in one direction than the other, thus yielding an inside-vs-outside-the-FireWall configuration. The actual FireWall can be implemented in software (the usual case with routers) or hardware.

Dividing the network in this manner is both useful and problematic:

• It’s useful because it can provide a single hardened entry control point which effectively prevents initial attacker reconnaissance. It also prevents direct access to internal systems which might run services for whom a new exploit was just published, buying time for the administrator(s) to secure the systems.
• It’s problematic because a lot of threats are internal, and as such entirely outside the scope of FireWall protection. A FireWall also must permit at least certain traffic (otherwise it’d be more effective to just cut the connection). Therefore, a FireWall can be no license for neglecting to keep every single machine on the network secure.

A FireWall is an effective and financially efficient time-buying measure that protects the systems you control from falling victim to attacks you didn’t have the chance to learn about yet; not more.

See also:

• HowFirewallingWorks
• FirewallNotes
• FirewallingPeerToPeer
• PerrysFirewallingScript