The internet is a dodgy neighbourhood. You know those stories older people tell about the small villages they grew up in where you could always leave your door unlocked? The internet is not that place. On the internet, you need a strong deadbolt, possibly two, along with a bouncer outside. Preferably with a pitbull. What's the technology equivalent of that? A firewall.
A firewall is a gatekeeper for your network. It protects your computers and devices from outsiders who want to steal, trash or otherwise alter your data. They could also install malware on your computers or trash your network. A firewall stops them using pre-configured rules to decide which network traffic makes it to the computers in your infrastructure.
You can install a firewall in different ways. Some of them come embedded into a router, although these often have limited packet filtering capabilities. They do a basic job of either blocking or allowing network packets based on their source, destination, and traffic type. At the bare minimum, they let you forward traffic on specific network ports to pre-defined computers on your network. This is the equivalent of giving a trusted business partner a direct line to someone in the company, and you might use it to grant access from a customer's videoconferencing system to the one in your boardroom. Opening network ports is not to be taken lightly.
You can also install a firewall as a dedicated appliance on its own hardware. Or you can just use it as a software application and run it on your own PC hardware, if you have the technical ability to set it up.
Basic packet filtering will stop people who are just rattling the doors of your network, but firewalls have evolved a lot since then to cope with new threats. For example, proxy firewalls work at the application level, rather than the network level. A common use for a proxy firewall is to filter web traffic. While it generally lets web browsers recieve traffic so that employees can browse, it might block traffic from inappropriate sites, preventing them from browsing time-wasting social sites or porn.
It's all well and good blocking employees from looking at things they shouldn't, but what about attackers who want to use your own software against you? Hackers often pose as legitimate users when visiting a company's web site, but they use tricks like entering code into online forms to see if they can break them.
Enter the granddaddy of all firewalls: the stateful packet inspection application firewall. This is a form of proxy that adds more protection by examining every part of a network packet to look for suspicious content. Unlike simple packet filters, it also looks at packets in context. A single network packet is just one part of a much bigger conversation (there are usually thousands of network packets in a single web browsing session). By looking at all the packets together over time, the firewall can better understand what's happening, blocking hackers and online bots.
Application and network firewalls have evolved to include other capabilities over time, like malware scanning and virtual private networks. Some of the more advanced application firewalls now even profile traffic over longer periods of time to learn what a legitimate session looks like so that they can better spot unusual activity.
That's all great, and it can help you to shore up security on your network, but be warned that a little firewall knowledge is a dangerous thing. The more sophisticated a firewall gets, the more complicated it is to set up. The worst thing you can do is misconfigure a firewall so that it lets attackers into your systems without you realising. When implementing these powerful systems, your first investment should be in the technical expertise to use them properly.