A firewall is a device that separates two network segments and filters the flow of packets between them.

In general, firewalls are routers (routed firewall) but they can be between separate physical parts of the same subnet. This is known as a transparent firewall. In this scenario, you would have two switches, each connected to different interfaces on the transparent firewall. The advantage of this is that the firewall can be removed and the two switches connected together if necessary. This won’t work for a routed firewall because the two parts are in different subnets and still need a router. Either type of firewall is much slower than a network switch and most routers when they are not firewalled

A simple firewall will track outgoing requests (for example an http request for a webpage) and will allow the return traffic – this is known as a stateful firewall. It will also allow specified traffic to pass from the unsafe to the safe interface if it conforms to certain rules (port, protocol, source IP address etc)

This sort of firewall is good for the segment boundary but is inadequate for the interface to the internet. For that, a next generation firewall (NG firewall) is required. This will check each packet against regularly updated lists of threats. NG firewalls need an annual subscription. Popular models include Cisco, Fortinet and PaloAlto