To determine whether your organization needs a firewall for Internet security, you must first assess the risks of your Internet connections. The four most common types of Internet connectivity in organizations are
Although all these connections represent a potential security hazard, the most risky are those that use TCP/IP as the end-to-end transport mechanism. This risk results from TCP/IP transport mechanisms supporting a range of services, including services that hackers use. Full-time leased lines and dial-up PPP connections use such TCP/IP connections. UUCP and online service provider connections are generally safer because they use specialized transport protocols for part of the connection. Such specialized transport protocols usually support only the intended application and so limit the number of attacks possible over the connection.
Note that individual accounts with online services can sometimes use TCP/IP as the end-to-end transport mechanism. If your organization uses such accounts for Internet access, you can expose your internal network to significant threats, even if your service provider implements security measures (e.g., a firewall between the service's system and the Internet). If online service provider accounts or dial-up PPP accounts are starting to appear in your organization, the time has probably come to move to a dedicated Internet connection that you can protect with a firewall.
Some ISPs provide a firewall service, which may be a cost-effective option for small companies. However, operating your own firewall lets you more easily meet users' Internet-access needs so they won't be tempted to secretly install dangerous dial-up accounts. Any organization that's large enough to have an internal IS staff and must provide Internet access beyond simple email needs a full, dedicated Internet connection that an onsite firewall controls. In addition, any organization that must tightly control access to or from particular departments or provide a dedicated network connection to an external organization over the Internet needs a firewall.