Update March 2020 (had a major Edit)
This might seem a bit geeky but I’ll try to keep it simple, feel free to checkout Wiki for a more comprehensive description of Firewalls.
Basically, Firewalls are classified as “Software Firewalls” and “Hardware Firewalls”.
Software Firewalls (a.k.a. Personal Firewalls)
These are software (programs / applications) that you install on your PC or each of your PCs. There are quite a few good ones but not all work as good as one would hope! Some are part of an “Internet Security Suite”. The firewall built-in to Windows 8 was a game changer. I used to have reservations about using “built-in” firewalls as I tended to be of the opinion that a dedicated software firewall vendor would be more expert at security! Then along came Windows 10, the built-in firewall is awesome and is part of the built-in “Windows Security”. IMO, you don’t need anything else. Microsoft are the experts with Windows and keeping it secure.
A Hardware Firewall is a separate stand-alone device that just sits there on guard 24/7. In principle it is a router and all network traffic going out to the Internet or coming in from the Internet has to pass through this box, bit like a turnstile.
Technically speaking, the “box” does indeed contain a “software Firewall” but the main difference is that the box is designed to only do the job of a firewall – nothing else and the OS (Operating System) is usually Unix / Linux. If you have read the Basic and Advanced security pages, you might realise that a “Hardware Firewall” is a device that offers protection for your LAN and fits in between the Internet Gateway (ISP Router) and the switch you use to create a LAN. This means that it doesn’t matter how many PCs /network devices you have, all network traffic to and from the Internet Gateway has to pass through this box and will be subject to “rules”. The rules will be based on either the older” IP Chains” or more commonly the more modern “IP Tables” (sorry I’m getting geeky). Hardware Firewalls can cost hundreds of £s but there are a few FREE (Open Source) ones. The Free ones normally involve using an old PC that has 2 or more network cards and some version of Linux / Unix (Non Windows Operating system). All hardware Firewalls will need configuring, including the FREE ones and this is not a job for the feint hearted. Smoothwall (free) is usually configured so that you don’t need to alter anything unless you have situations where you need to amend the settings but the on-line forums are friendly and very helpful. So if you want a highly configurable hardware firewall and you have an old / spare PC, you just down load the “image” and install it, setting up is generally easy but if you are new to Linux, it might be a steep learning curve.
The Internet Gateway / router supplied by your ISP will have the basic rudiments of a Firewall and will have at the least something called NAT (Network Address Translation) Basically NAT hides your internal IP address so the websites you visit will only know about your “public /WAN IP address”. The Internet Gateway will probably include a 2 or 4 port switch and quite often it include a WAP (Wireless Access Point). I would suggest you use this for “Guests” that need a WiFi Internet connection but you don’t want them to access your LAN.
For situations where the devices on your LAN use WiFi, I suggest using a stand-alone WAP and connect this to the switch.
Generally the ISP supplied Internet Gateway offers “Border protection” and will keep most intruders out of your LAN.
If you want to beef up your security and give your LAN better intruder protection, you have a choice :-
a. Purchase a Hardware firewall, range in price from about £100 to £200. The advantage is that it will be a small device and fairly quiet, a disadvantage is the possibility of not being able to install newer versions of the “OS”.
b. Use an old PC and install an extra NIC then install Linux Smoothwall or similar, cost about £10 or less. The advantage is obviously cost but you will be able to carry out software and OS updates to keep current. If the spare PC dies, just install on a different spare PC 🙂