Computer security is mostly the same. You have passwords on accounts to try and prevent unauthorized use, but you still have to worry about unauthorized people who can pick the lock if the lock was cheap (e.g a poor password was chosen and someone guessed it) and people can still break in through the window (e.g. someone finds a bug in a program like finger, sendmail, etc).
On concept which is useful to both computer security is that of perimeter security. This concept is quite easy to understand: simply think of castles or military bases. They typically only have a small number of entrances which are the only way in. If someone wants admittance, they must present themselves at the gate and identify themselves to the satisfaction of the guards. If someone tries to get in any other way, they will be stopped by the various fences, walls, or barriers surrounding the installation. The concept extends itself quite readily into the computer world: before anyone is allowed in the internal network (e.g. castle) to access the computers (e.g. rooms) they must identify themselves to a perimeter security device (e.g. guard) like a firewall or passworded modem. If you can insure that those are the ONLY ways in to the internal network, then if you can sufficiently guard those small numbers of access points, you can guard all of the machines on the network. The people outside the perimeter may be people on the Internet, the people down in the accounting department, or both. Whoever they are, they should not have access unless you allow it.
Of course there is much more to computer security than simple network perimeter security. You need to worry about physical security (since people might be able to physically walk into your building and gain access to the computer) and you need to worry that once authorized users are on the machine, you need to control what files they can read and modify, what devices they can use, etc. However, for purposes of this discussion, we are restricting the topic to perimeter security since that is all that a firewall can do.
Packet filter gateways are usually comprised of a series of simple checks based on the source and destination IP address and ports. They are very simple to the user since it will probably not even realize that the checks are taking place (unless of course it was denied!!). However, that simplicity is also their biggest problem: there is no way for the filter to securely distinguish one user from another. Packet filters are frequently located on routers and most major router vendors supply packet filters as part of the default distribution. You may have heard of smart packet filters. Smart packet filters are really not very different from simple packet filters except they have the ability to interpret the data stream and understand that other connections which would normally be denied should be allowed (e.g. ftp's PORT command would be understood and the reverse connection allowed). Smart packet filters, however, still cannot securely distinguish one user on a machine from another. Brimstone incorporates a very smart and configurable application layer filter.
Circuit-level gateways are much like packet filters except that they operate at a different level of the OSI protocol stack. Unlike most packet filters, connections passing through a circuit-level gateway appear to the remote machine as if they originated from the firewall. This is very useful to hide information about protected networks. Socks is a popular de-facto standard for automatic circuit-level gateways. Brimstone supports both Socks and a manual circuit-level gateway.
Application gateways represent a totally different concept for firewalls. Instead of a list of simple rules which control which packets or sessions should be allowed through, a program accepts the connection, typically performs strong authentication on the user which often requires one-time passwords, and then often prompts the user for information on what host to connect to. This is, in some senses, more limited than packet-filters and circuit-level gateways since you must have a gateway program for each applications (e.g. telnet, ftp, X11, etc). However, for most environments it provides much higher security because unlike the other types of gateways, it can perform strong user authentication to ensure that the person on the other end of the IP connection is really who they say they are. Additionally, once you know who you are talking to, you can perform other types of access checks on a per-user basis such as what times they can connect, what hosts they can connect to, what services they can use, etc. Many people only consider application gateways to be true firewall, because of the lack of user authentication in the other two types. The core Brimstone ACL provides application gateway functionality.
Hybrid gateways are ones where the above types are combined. Quite frequently one finds an application gateway combined with a circuit-level gateways or packet filters, since it can allow internal hosts unencumbered access to unsecured networks while forcing strong security on connects from unsecure networks into the secured internal networks. Recommended Brimstone configuration are a hybrid firewall.
However, sites which need to allow specific users at remote sites, or want higher security to ensure that no-one is performing a IP source address spoofing attack, need to use application gateways. The unfortunate side-effect is that the firewall is no longer transparent--users must perform logins and actions which would not occur if the application-gateway were not there. The major problem with this is that non-standard or GUIified programs may not be physically able to be coerced into supplying the needed information to the gateway.
The above indicates why hybrid gateways are popular: it ensures that internal users, whom you presumably trust, are unencumbered with intrusive security while external users who are potentially trying to break in are forced to strongly identify themselves, possibly with some one-time password like one generated from a hardware token generator.
A firewall cannot control people who go around it. If perimeter security has been broken, for instance that same disgruntled employee plugged his phone line into a modem attached to his networked computer, he (or presumably anyone else) can dial that phone line and bypass all firewall checks. For effective firewall use, the network perimeter security integrity must be maintained.
A firewall cannot control people who physically walk up to a machine which is in the secured network and break in. Network firewalls do not have control over security gates and radar targeted machine gun replacements; mostly because the malpractice insurance would be too high :-)