The main thing firewalls protect against is unauthorized login. In addition they may block some or all of the outside traffic, while permitting all or most of the traffic from the inside to the outside. The traffic that usually is permitted is e-mail (both to and from the network) and HTTP access from the inside to the outside of the firewall. Protocols that may or may not permitted are FTP, SSL, database connections, and so on. In addition to access control, firewalls keep statistics of the Internet packages and requests, and may be configured to issue a warning if some suspicious activity is going on.
There are two basic types of firewalls: network layer and application layer firewalls. Recently the distinction between the two is becoming somewhat blurry.
Network layer firewall decides which IP packages go through based on the source, the destination, and the port of the package. The firewall doesn't look inside the package. The firewall is located on a "bastion host", which is a specially designated machine that routes all the traffic to and from the organization's network.
Demilitarized Zone (DMZ) is an area which is neither a part of the organization's network nor a part of the Internet. Usually it is the area between the Internet access router (the "entry" point of the network) and the bastion host. Many organizations put a web server in DMZ because the server requires HTTP Internet connections to be able to answer HTTP requests. The other machines in the network do not require such connections, so a stricter policy may be enforced for these machines. DMZ makes it possible to localize an attack on the web server so that it does not affect the internal network.
Application layer firewalls are usually implemented by "proxy servers": hosts which perform elaborate auditing and recording of the traffic going through them. An application layer firewall is often used to rewrite IP addresses to direct the packages to the right host inside the network or to remove the names of specific internal machines from packages going out (replacing them by the address of the proxy server). Effectively, a proxy server "imitates" the Internet for the internal network, and the internal network (which "looks" like just one machine) for the outside world. Application layer firewalls work on an application-by-application basis, i.e. one can distinguish a proxy FTP server, a proxy web server, and so on.
While firewalls help protect the internal computers, one should not rely on a firewall alone for protection. Firewalls do not protect against viruses and Trojan horses which get through as a part of an e-mail message or attached to a program, often copied from a floppy disk or a CD. Firewalls cannot protect against users who do not keep their passwords secure. One typical way of getting into a network is to find out or to reset a password by making a call to the support services pretending to be a contractor or a user who forgot their password.
A firewall should be used correctly. In particular, one shouldn't allow "back doors" into the firewall for specific applications, shouldn't turn off or ignore warnings and logging of traffic, and shouldn't allow user's accounts on the bastion host: the more users there are, the more there is a chance of a hacker finding out someone's password.
Click here to find out more about firewalls.