As the name implies, a firewall is a protection device to shield vulnerable areas from some form of danger. In the context of the Internet, a firewall is a system, i.e., a router, a personal computer, a host, or a collection of hosts, set up specifically to shield a site or subnet from protocols and services that can be abused from hosts on the outside of the subnet. A firewall system is usually located at a higher-level gateway, such as a site's connection to the Internet, however firewalls can be located at lower-level gateways to provide protection for some smaller collection of hosts or subnets.
The general reasoning behind firewall usage is that without a firewall, a subnet's systems are more exposed to inherently insecure services such as NFS or NIS and to probes and attacks from hosts elsewhere on the network. In a firewall-less environment, network security is totally a function of each host on the network and all hosts must, in a sense, cooperate to achieve a uniformly high level of security. The larger the subnet, the less manageable it is to maintain all hosts at the same level of security. As mistakes and lapses in security become more common, break-ins can occur not as the result of complex attacks, but because of simple errors in configuration and inadequate passwords.
A firewall can greatly improve network security and reduce risks to hosts on the subnet by filtering inherently insecure services and by providing the capability to restrict the types of access to subnet hosts. As a result, the subnet network environment poses fewer risks to hosts, since only selected protocols will be able to pass through the firewall and only selected systems will be able to be accessed from the rest of the network. Eventual errors and configuration problems that reduce host security are better tolerated, as well as the internal use of protocols such as NIS and NFS. A firewall system offers the following specific advantages:
A firewall not only filters easily exploited services from entering a subnet, it also permits those services to be used on the inside subnet without fear of exploitation from outside systems. A firewall's protection is bi-directional; it can also protect hosts on the outside of the firewall from attacks originating from hosts on the inside by restricting outbound access.
Given these advantages, there are some disadvantages to using firewalls, the most obvious being that certain types of network access may be hampered or even blocked for some hosts, including telnet, ftp, X Windows, NFS, NIS, etc. However, these disadvantage are not unique to firewalls; network access could be restricted at the host level as well, depending on a site's security policy.
A second disadvantage with a firewall system is that it concentrates security in one spot as opposed to distributing it among systems, thus a compromise of the firewall could be disastrous to other less-protected systems on the subnet. This weakness can be countered, however, with the argument that lapses and weaknesses in security are more likely to be found as the number of systems in a subnet increase, thereby multiplying the ways in which subnets can be exploited.
Another disadvantage is that relatively few vendors have offered firewall systems until very recently. Most firewalls have been somewhat ``hand-built'' by site administrators, however the time and effort that could go into constructing a firewall may outweigh the cost of a vendor solution. There is also no firm definition of what constitutes a firewall; the term ``firewall'' can mean many things to many people.