Software only Firewalls that run on each PC at a site give the illusion of protection. If the hacker's communications has already hit a target machine, it's a bit late to take action. The real world analogy is allowing the thief to get inside the bank vault before attempting to eject him. Possible, but fraught with problems.

The next class of firewall is the firewall appliance. Any device that contains a preprogrammed set of rules intended as a one size fits all solution falls into this category. Internet routers, cable modems, and other hardware devices sometimes offer rudimentary firewall capabilities that can be beneficial, if the purchaser activates them and knows how to configure them. Most of the time these devices are purchased and never configured so the firewall capability is essentially non functional. Even if they are configured, their capabilities are usually limited to treating all the machines at a site in an identical way. Treating the accounting server and the data entry clerks machine equally can't reasonably be considered providing proper protection for either one.

Computer based software controlled Firewalls are the ideal solution for small and medium size businesses. One or more networks of up to several hundred machines can be placed behind such a firewall. This category consists of a commodity PC, and firewall software to provide the basis for a device. Once installed, the firewall software needs to be configured properly or else this class of firewall is as ineffective as the appliance class.

Rules are defined that control the flow of information, and those rules vary from one business to the next. Just as no two computer networks are identical, no two sets of firewall rules can be identical. Any attempt to force conformity in the rules simply ignores the obvious differences between sites, and results in a firewall that fits as well as a one-size fits all suit of clothes. The key to this class of firewall is the rule set that is designed to control how the firewall functions. Over time, the rule set may need to be altered to accommodate changing business practices, or newly discovered Internet threats.

Finally, we arrive at hardware-based Firewalls for very large high volume sites. This class of firewall is similar to the previous class in its basic operation. The real difference is in the type of hardware used and how the software is executed. A very specialized and optimized computer forms the hardware platform, and the firewall software is many times "burned" into chips so that it operates at much greater speeds. These devices must also be properly configured for any given situation or else they too are little more than a revolving door for Internet traffic.

Many very high dollar hardware based Firewalls have been purchased and never properly configured. These sites, usually Internet commerce sites storing credit card information, are the hackers dream opportunity. Hardware based Firewalls also suffer from one other shortcoming. Because they are hardware based, they are also hardware limited over time. When the manufacturer decides to no longer offer upgrades to an older platform, that expensive box can't even be reconfigured to become someone's workstation. It becomes an expensive boat anchor. Large corporations may be more able to accept this as a cost of doing business than their smaller counterparts.