The terms "two-tier" and "three-tier" firewalls do not have a hard-and-fast definition. They are applied to two different ideas. First off (and in the most widely used terminology), the tiers refer to the number of interfaces the firewall has. A two-tier firewall would have two interfaces: the inside (protected) network and the outside (big, bad, scary) network. A three-tier firewall would have inside and outside as well, but also includes a side interface for a protected Demilitarized Zone (DMZ). On your DMZ, you can put servers that need to be publicly accessible (such as Web servers, mail servers and DNS servers), but also need to be protected.
In its other usage, the tiers don't refer to interfaces, but instead the layers of firewalls you have. I admit, this usage is less common than that above. So, a two-tier firewall would be like a firewall sandwich. There is an external firewall, then a DMZ, then an inside firewall. With this architecture, you could block elements with much more flexibility. A three-tier architecture would include three firewalls: one on the outside and two different layers on the inside.
The ISP should have a firewall that restricts all connections to their protected host except those that are absolutely required. So, if the protected system is a Web server, it should only have TCP port 80 (HTTP) and, if required, TCP port 443 (HTTPS). Nothing else should be open. They could achieve this using packet-filtering firewalls or proxy firewalls. The type isn't particularly important here, just the filtering that is implemented and the performance characteristics of the system. A lot of ISPs use a simple packet filtering firewall, which is acceptable. Some use nothing at all, which concerns me!
For more information on this topic, visit these other SearchSecurity.com resources:
This was first published in February 2003