It is not a mandatory requirement...just a recommendation by US-CERT (for added protection) which says the following in the link you provided.
If possible, connect the new computer behind a network (hardware-based) firewall or firewall router.
A hardware based firewall
is really a software firewall running on a dedicated piece of hardware or specialized device (routers, broadband gateways) that sits between a modem and a computer or network. A hardware firewall is based on "Network Address Translation
" (NAT) which hides your computer from the Internet or NAT plus "Stateful Packet Inspection
" (SPI). It can provide a strong degree of protection from most forms of attacks coming from the outside (incoming traffic
). Hardware firewalls are easy to configure and can protect every machine on a local or home network. A hardware firewall typically uses packet filtering to examine the header of a packet to determine its source and destination addresses. This information is compared to a set of predefined or user-created rules that determine whether the packet is allowed (forwarded) or denied (dropped) on particular ports. They tend to treat any kind of traffic traveling from the local network out to the Internet as safe which can be a security risk.
With a software firewall
you have customized control and can specify which applications are allowed to communicate
) over the Internet from your computer. Programs that are not explicitly allowed to do so are either blocked or else the user is prompted for confirmation before the traffic is allowed to pass. Software firewalls generally offer the best measure of protection against Trojans and worms
but they are harder to configure and must share resources with other running processes which can decrease system performance. Many software firewalls have user defined controls for setting up safe file and printer sharing and to block unsafe applications from running on your system.
You may want to read Choosing a Firewall