A networked computer receives data in the form of "packets", which are specially labelled containers of data. No two packets are labelled the same. In reality a packet consists mostly of various labels needed to address it from one computer out of many millions to another, with very little actual data in it.
(That's why a simple file requires such a long download over a phone line connection).
Think of a long railway train coming to your town with freight cars loaded with all sorts of stuff, even though only a few parcels are actually meant for you personally.
Now, problems happen because packets can be intentionally corrupted in ways that cause them to severely mess up the receiving computer. Attackers have learned thousands of ways to make that happen.
Back to our railway train: consider that a few of the parcels have had their labels intentionally messed up so that you will get them even though you did not order them. They happen to contain bombs that will go off when they are opened, and they are on their way to your house.
A firewall works at the packet level to judge whether packets are acceptable or not, based on a clear set of rules. If a packet passes all the tests, it is let through. If not, it is dropped (gone forever). Firewalls must be kept up to date because intentional packet corruptions get more and more clever. If you do not update your firewall software on a regular basis you are therefore at risk.
Back to our railway: at the station a yard marshall sees the cars on a train as they pass by and determines which cars should go where in the yard, then he routes them to the proper places. He obviously does not know (or care) exactly what is inside the cars. He also has a team of railway police that patrol the fence for criminals trying to sneak in, but the cops don't look inside the cars. This is a lot like how the Internet operates.
As the bomb problem gets worse, railway companies decide to start scanning all parcels for bombs, but its such an impossibly complex job that they leave it up to the folks at the receiving station or else the entire system of railways would be bogged down to a crawl. The individual station masters decide to do the scanning locally at their end, but because its such an impossibly huge job they decide that in order to keep the cargo moving they will only scan envelopes of mail and not most parcels.
The scanning is more like Anti-Virus software, not firewalling. Your Internet Service Provider certainly has a professional grade firewall system, and probably does anti-virus scanning of email to some extent, but just cannot scan all data going though it to and from your computer. This is why you also need to have updated Anti-Virus software on your Windows PC. Remember, Anti-Virus scanning is not Firewalling, and Firewalls do not scan for viruses (unless they are a combined product).
Over time, railway station scanners discover all bombs made in a certain design pattern, and everyone rejoices that the problem has been solved.
BUT... the bombers get really clever and figure out how the scanners work and design new bombs that cannot be detected yet. They also switch to using minibombs that are much harder to detect. Not only that, but on the outside of the railway yard's fence are criminals who constantly look for holes so that they can get past the cops, get inside, and steal all the great Home Theater equipment in the cars while they plant more minibombs. The railway is fighting a losing battle, and people in the press are whipping up hysteria.
New companies spring up with trained security guards who are hired to stand on your doorstep and scan every envelope, parcel, and package that comes into or out of your house. One guard is given a detailed list of what stuff is allowed, and the remainder is incinerated in the back of his truck regardless of all the time and expense to get it to your doorstep. The other guard takes everything that has been allowed past the first guard and passes it through a detailed scanner. If something inside looks like the stuff that guard has been trained to stop, the guard sounds the alarm and measures are taken to protect your home according to the rules he has been given.
WIndows PC users need to have a personal firewall because you need to prevent maliciously crafted packets from entering your computer from the network. You also need to have top notch Anti-Virus software to scan what makes it past the firewall.
Our two guards on the doorstep unfortunately were not given any communication capabilities, so after a while new types of minibombs arrive, and even though the guards are doing the best job they possibly can, the minibombs start getting through.
You MUST keep the firewall and the Anti-Virus software updated so that the rules and descriptions do not get out of date.
Back on the doorstep, the guards have noticed that minibombs continue to detonate all around them, even though the guards now have shiny new radios and are updated regularly on new defences.
It turns out that there is a much bigger problem that the two guards, no matter how well prepared, cannot defend against: your house has all sorts of holes in it called Windows. The architects of your house have made the structure of it so dependent on its Windows that they cannot be removed, and if they are boarded up the occupants of the house will die because the Windows cannot be opened to let air through. Regardless of the two guards on the doorstep, the house is not capable of being protected!
Across the street the Macintoshes have a different kind of house that is much, much safer, and throughout town the banks, stores, commercial properties, and the homes of the architects and builders themselves are usually made of either UNIX or Linux armor plating, or have Mainframe vaults.
Sadly, even some of those professional sites installed Windows, so huge amounts of time and money have had to be spent to try to get them as secure as UNIX, Linux, and Mainframes, but it just never happens. Nobody seems to question why those Windows installers haven't been fired, but they have the best lawyers on the planet .
Also, there's a whole cottage industry in security that is dependent for its livelihood on the fact that Windows are fragile, so the politicians don't want to jeopardize those jobs.
Once inside your home, some of the minibombs bury themselves into your outgoing mail and parcels, and pretty soon everyone in your address book has been mailed minibombs. They themselves start mailing minibombs, and pretty soon everyone with Windows is doing it.
The biggest problem with Firewall and Anti-Virus software packages is that they cannot defend against certain exploits that attack Windows itself. They cannot understand how to analyze certain programs that pass through them. They cannot be told to stop all such programs because that would mean shutting down your Internet capabilities completely.
Just to be sure, you phone the original manufacturer of the Windows to see what solution they offer, but the solution they provide only opens up more Windows to attack!
Microsoft Windows is always left open to attack through the Internet Explorer browser even after all the patches have been applied. There is no fix because the hole is at the very center of the product. It was designed that way.
Then one day a salesman drives up and shows you a new product that replaces your Windows with more heavily constructed, less failure prone ones that have screens that stop the minibombs but still let the air through so that everyone can safely breathe. He points out that while it would be best for you to move to a home like the Macintoshes or even to Linux armor, you like your present house so you take his advice and switch over to one of his new products. The minibombs die off, and you give the salesman a regular call to come over and visit to update them with the latest new materials.
The Mozilla Firefox and Opera web browsers tend to be faster, have more customizable features, and are much more secure than the Microsoft Internet Explorer web browser. They also require patching and updating, but they are vastly more secure than IE.