Firewalls

What is a firewall? A firewall is a network component that allows a single point of access between your internal network and "the evil internet." Most of the time you only need your network to be connected to the outside for a very small number of things.
The primary advantage of a firewall is the security officer can concentrate their efforts on single point of entry rather than hundreds or thousands of access points.
The primary disadvantage of a firewall (well, not really a disadvantage but an unfortunate side effect) is the security officer will generally not spend much time at all on the security of the internal network. Thus if the firewall is every compromised or another access point is discovered they are totally open to attack.
Firewalls are usually constructed out of a workstation with two (or more) interfaces. This can be done with anything from a PC with two ethernet cards to a dedicated hardware platform designed specifically for firewall applications.
Some examples of services that an internal network might want to share with the outside world include:

Email
News
DNS
Web
Time service
remote access (telnet, rlogin, etc)

Types of firewalls
There are two main types of firewalls: filtering and proxy.

Filtering firewall
A filtering firewall will decide to forward a packet based on certain critera such as source, destination, packet type, originatiing and destination port number and others.

For example I can allow anyone on the outside to connect to port 25 so they can send mail directly to internal machines or port 80 so they can get data directly off web servers.

This is generally a bad idea since you're giving anyone complete access to your sendmail daemons and web servers. If there exists any hole in anything running on port 25 (doesn't even have to be sendmail) then you're vulnerable and the firewall is useless. A much better idea is to use a proxy firewall.

Proxy firewall
A proxy firewall is one that explitctly acts on behalf of the machine on either the internal or external net. For example I could run a proxy mail gateway on my firewall that will pass mail traffic on a message basis and not have to worry about outsiders directly connecting to my internal net. The same would go for a proxy web server. Most proxy web server can also act as a caching server and greatly speed up web connections.
Proxy firewalls also allow much more logging capabilities since the firewall is the component that is doing the processing of the messages.

Design Methodologies
We showed earlier that there are two main design methodologies. In reference to firewalls there are two ways of setting them up. The dumb way, and the smart way.
The dumb way is to filter out the traffic you don't want and to allow everything else. This is a extremely bad idea yet is's amazing how many folks actually do this.
The smart way is to turn off all services and use proxy mechanisms for the things that you need. Turn on as little as possible to reduce the number of unknowns.
Types of firewalls: There are two main types of firewalls: filtering and proxy.
Filtering firewall: A filtering firewall will decide to forward a packet based on certain critera such as source, destination, packet type, originatiing and destination port number and others.; For example I can allow anyone on the outside to connect to port 25 so they can send mail directly to internal machines or port 80 so they can get data directly off web servers.; This is generally a bad idea since you're giving anyone complete access to your sendmail daemons and web servers. If there exists any hole in anything running on port 25 (doesn't even have to be sendmail) then you're vulnerable and the firewall is useless. A much better idea is to use a proxy firewall.
Proxy firewall: A proxy firewall is one that explitctly acts on behalf of the machine on either the internal or external net. For example I could run a proxy mail gateway on my firewall that will pass mail traffic on a message basis and not have to worry about outsiders directly connecting to my internal net. The same would go for a proxy web server. Most proxy web server can also act as a caching server and greatly speed up web connections.
Proxy firewalls also allow much more logging capabilities since the firewall is the component that is doing the processing of the messages.
Design Methodologies: We showed earlier that there are two main design methodologies. In reference to firewalls there are two ways of setting them up. The dumb way, and the smart way.
The dumb way is to filter out the traffic you don't want and to allow everything else. This is a extremely bad idea yet is's amazing how many folks actually do this.
The smart way is to turn off all services and use proxy mechanisms for the things that you need. Turn on as little as possible to reduce the number of unknowns.