Once upon a time, a few people decided that they wanted to share their computer systems, so they laid cables all across the country to interconnect their computers. They wanted to form a union where they could share their computers in different time zones so that CPU time could flow freely between them. Hackers created the network, and they saw that it was good. And the users did rejoice, and connected themselves from coast to coast to use one another's systems, send messages to SF-LOVERS and enjoy life on the Net.
The network grew over the years, and more and more systems joined it for the common good. Tourism flourished, every man his own armchair-tourist. Everyone sought CPU time on others' systems. Passwords did not exist. No one knew what a cracker was.
Suddenly, the network was so huge, the systems so many, that the number of hackers was not enough. Users found themselves alone on their systems, left to their own devices and their company management. Then somebody was seized with the fear that others would ruin something and began blocking out tourists, setting passwords to keep others from accessing what had once been common resources.
Suspicion spread: More and more users felt it necessary to put ID checks on their systems. Soon, no one but a handful of die-hard hackers thought there was anything strange about passwords and encryption.
Suspicion bred spite. Some individuals tried to use the ID checks and security systems for their own purposes, trying to convince the systems that they were other users.
They came to be called `crackers,' spiteful individuals who wanted to break into systems for their own purposes, without wanting or even seeing the old feeling of camaraderie.
Security checks were developed. Soon, protocols were available on the network to interrogate distant systems on the users of certain network programs (IDENT), smart cards (CP/8), one-time passwords (S/Key) and similar things (SSH, PGP). This development included the creation of firewalls.
A firewall in a network works just like a firewall in the construction industry: Since it has no holes, it prevents a fire from spreading. In this case, the fire is the spiteful individuals and their programs.
Take a relatively large computer, add at least two network interfaces, and with the correct software, you have a bridge between two networks that lets all traffic pass from the one to the other. Block this bridge and you have a firewall.
However, this firewall is of limited benefit, because it prevents data packets from coming in as well as going out. This makes the connection between the internal network, which you are trying to protect, and the external network, which you want to reach, completely pointless. No traffic can move between them.
So, instead of completely cutting off traffic between the external and internal networks, we equip the firewall with software to filter the traffic. Most anything is allowed to come out, but the road in is extremely restrictive.