Do I Really Need a Firewall?
I've heard conflicting reports on whether or not I should be using a firewall. Some people say they are only needed for dialup users. Others say you MUST have a firewall if you have a high-speed DSL or cable connection. Can you give me some advice on this?
What Happens When You Yell "MOVIE!" in a Crowded Firehouse?
Well all the firemen go running out into the streets, of course. Okay, it's a bad joke. But it illustrates the point that even people who are supposed to be experts in computer safety are often confused about firewalls. Here's the scoop on WHO needs a firewall, WHAT they do, and WHY you might be wasting your money on firewall software.
First, let's look at what a firewall is supposed to do. A firewall is hardware or software that limits access to a computer from an outside source. If your computer will ever be connected to the Internet, a firewall is an essential tool needed to prevent malware and hackers from accessing or damaging your computer.
So YES... you do need a firewall. Without a firewall, your computer can be compromised within SECONDS after connecting to the Internet. If you're a dialup user, it might take a little longer, but it will happen. The reason for this is the automated hacking drones that are constantly scanning Internet-connected computers, looking for any vulnerability.
What Kind of Firewall Do I Need?
The real question is "Do I need a software-based firewall or a hardware-based firewall?" If you have a high-speed Internet connection such as DSL, cable or fiber optic, then you should have a little black box inside your home, that was installed by the phone/cable company. This is sometimes called a modem, but in most cases it's actually a network router, or a combination modem/router. If you have a router with the NAT feature (Network Address Translation), you already have a hardware firewall which effectively makes your PC invisible to the attacking hordes. However, there are some cable internet providers that still install cable modems WITHOUT routers.
If you're not sure that you have a NAT router with built-in firewall, ask your internet service provider. You can also do a web search for your modem or router to find the manufacturer's specs or a review that answers the question. Most routers allow you to login and customize the firewall settings, and also offer content filtering and parental controls. See my related article Securing Your Router for details on how to login, as well as other router security tips.
If you have a dialup connection, where the telephone line connects directly from the wall socket to your computer, you definitely don't have a hardware firewall. So in the absence of a hardware firewall, you absolutely need a software-based firewall.
What About the Built-In Windows Firewall?
If you have Windows XP with the latest service pack, Windows Vista or Windows 7, then you already have a software firewall. Windows Firewall has been part of the operating system since 2004, and the default setting is ON. To check or change the firewall setting, click on Start / Control Panel / Security, then click on the Firewall link.
My position is this: If you have a hardware firewall, there is no need to run a software firewall in addition. It doesn't matter if you have a wired or wireless connection to your router.
If you do turn off the Windows firewall, you should tell Windows that you have your own firewall solution, or it will nag you about the firewall every time you start up your computer. For XP, click Start / Control Panel / Security Center. Then under Firewall, click the Recommendations box. On the next screen, check the box labeled "I have a firewall solution that I'll monitor myself." Follow these instructions for Vista or Windows 7 systems.
Other Software Firewalls
I know there is heated debated on this topic. Some people claim that you MUST have a software firewall to protect you from malware that might be trying to make an OUTBOUND connection for nefarious purposes. My position is that anti-virus and anti-spyware programs should be installed to remove and prevent the malware in the first place. Sure, you can use the Windows Firewall, or install ZoneAlarm, Black Ice, etc., but my experience shows that many users are confused and unnecessarily alarmed by the constant stream of "warnings" that these programs present.
Lots of good programs DO need to make outbound connections to the Internet. Your browser, email program, FTP client, media player, and any software that checks for available security updates will need access. So if you're not very careful you'll end up blocking them, and then they don't work correctly. I've also seen cases where software firewalls malfunction and either interfere with certain programs or end up blocking ALL connections. And don't get me going about all the times when a software firewall prevented access to a shared folder or a networked printer... arrgh!
But I will grant you this. Installing a software-based firewall as an extra layer of protection is not a bad thing. If you have kids in the house that are likely to click on or download almost anything, it could be helpful. See my related article on Free Firewall Protection for some excellent free software.
A Word About Laptops
If you have a laptop that's connected to the Internet through your home network, thre's no difference in terms of the firewall setup. But if you take that laptop on the road and make a wired connection (as in a hotel room with a network cable) or go wireless (in the airport or a coffee shop), you are no longer protected, so it's a very good idea to turn ON your software firewall. See the instructions above for details on how to do this with the Windows Firewall.
To summarize, YES you need a firewall. My personal opinion is that if you have a hardware firewall, don't bother with a software firewall. Can you run both? Yes, but the "benefits" may be outweighed by the problems.
Do you have something to say about firewalls? Post your comment or question below...
This article was posted by Bob Rankin on 16 Aug 2011
|For Fun: Buy Bob a Snickers.|
Do I Need a Memory Optimizer?
The Top Twenty
How I Got Hacked... And Why You MUST Have a Backup!
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Do I Really Need a Firewall? (Posted: 16 Aug 2011)
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Do I Really Need a Firewall?"
16 Aug 2011
You say in this article : "My position is this: If you have a hardware firewall, there is no need to run a software firewall in addition. It doesn't matter if you have a wired or wireless connection to your router.".
I've almost always agreed with what you've had to say, and I've learned a lot from your articles.
I feel the need to post and say that I consider that incorrect.
Here are a few reasons why, Number 1 : All routers for the most part come with "HARDWARE FIREWALLS" those aren't meant to protect the PC itself, they are meant to protect the software installed ON THE ROUTER, not the PC.
I've always used a Gateway setup. I can tell you from personal experience that you'd better leave your Firewall "SOFTWARE" on any Windows PC ON because Hardware Firewall are meant to protect the PC, it's meant to protect the hardware it was installed on, NOT THE ENTIRE INTERNET CONNECTION OR PC SYSTEM. There's no such thing IMO as a Hardware Firewall or Software Firewall. They are all Software and programmed Firewalls and they are placed where they should be, it's bad that people are given the open to turn them on or off honestly.
So many times people forget there is the Internet and then there is the Intranet. Perhaps someone else can elaborate on this better than me.
Like I said, the firewalls for the hardware are there as a "POWER BOX LOCK SO TO SPEAK" if you want to think in terms of a house, the Firewall on your PC is meant for all the WINDOWS on the PC. Sorry I'm bad at explanations but I am right on this. NEVER, EVER TURN OFF YOUR SOFTWARE PC BASED FIREWALLS, EVER!
Firewalls should be considered more or less "Locks on the door" : Not "DOORS", you have hardware Firewalls for routers - "Priority Locks" and you have Firewalls for systems "Meaning protecting the PC not the router".
JMO, Correct me if I am wrong.
Either way, I enjoy reading your threads Bob, I'm a fan, but I just don't think your right on what your saying here. For one reason I use a Linksys Cable Gateway and I contacted them directly about this matter and they told me "BY NO MEANS EVER TURN OFF THE FIREWALL BUILT INTO THE ROUTER" they also continued explaining how the firewall on the router protects the router setup/software, not the PC. And they said "Leave your PC Firewall on or you will have problems, because if the router was protecting everything then there would be no need for a PC Firewall". JMO.
EDITOR'S NOTE: Thanks for your thoughtful comment. The idea that hardware firewalls only protect the software installed ON THE ROUTER, not the PC, is incorrect. The primary function of the hardware firewall is NAT -- network address translation. That means that attackers, when trying to enter your PC via your IP address, will only "see" the router. They cannot detect what is connected to the router, because the IP addresses of those devices have been disguised (translated).
16 Aug 2011
I have a router with a firewall but, I still leave the Windows firewall on for the extra layer of protection. It rarely ever bugs me so why not. Plus I sometimes travel with my laptop, and I don't want to worry about forgetting to turn it on. If it messes with you about something legitimate you can easily add exceptions in the firewall settings. A Google search will link you to instructions on how to do it.
17 Aug 2011
To be fair, I was a bit hasty in my response. I have only used 2 Routers, or that is I should say Cable Gateway's as they are called now, or that is a modem/router combination.
Here's the thing, if you get a Virus, your router firewall "At least the one I use anyway", it's not going to block outgoing traffic or give you any type of warning or notification that it's sending information to the bad guys.
This is very important, monitoring outgoing traffic or HIPS as some call it is very important.
That's the main thing I'm trying to get across here.
The thing about it, there are so many sites these days that are bogus and no matter what you do they say you require these so called flash upgrades and such "Which are bogus" and I never install them - I go straight to the real source for such add ons, but the problem is that's how they get behind your firewall, and your router firewall is not going to protect you from such things. Actually, Windows firewall unless modified isn't either. That is unless you use something like PCTools Threatfire, and or Sphinx Windows 7 Firewall control. Which is what I use, that's the only reason I mention that.
Bob, keep up the great work! I enjoy reading your articles, they've helped me out tremendously! I appreciate it.
If I am wrong here then I apologize, you know more than me no doubt about that. I just wanted to point out the importance of blocking out going traffic also.
I guess the bottom line is, be careful what you allow on your PC, if you don't allow nothing to be installed then IMO, yes you don't need nothing but incoming blocked connections, but if something gets behind your firewalls setup, and it's a router only setup then your in for some problems I would think.
17 Aug 2011
Hello Bob. I've been reading your article about firewalling and I checked my router settings. I have a linksys WRT54G2, and on the security tab the checkbox beside "Filter Internet NAT Redirection" is unchecked. Should this be checked? My son had some freinds over playing XBox and I'm wondering if they changed something to be able to connect. Thanks. Jim
EDITOR'S NOTE: From what I've read, that setting does not turn on or off the NAT security feature. It's a poorly named and fairly obscure setting, but the default is off.
17 Aug 2011
Great article, Bob. I totally agree with you. I use to be a total devout follower of the "install an outgoing firewall" but even with my computer background (30 years now), I find it a complete hassle. It might provide some additional protection in letting you know about installed malware but the only good ones are a pain the the ass in how many questions they ask you and how often they ask you. And for inexperienced computer users (and you'd be surprised how many users that have been using computers for years are still inexperienced), it's a total nightmare.
18 Feb 2012
I always wondered how my computer wasn't compromised (at least not visibly) despite the firewall being off all the times. I suppose my fibre connection has a very efficient firewall. Very nice article!
18 Feb 2012
May I offer something? If you are worried about your computer's vulnerability on the Net, go to http://grc.com and try the Shields Up utility. It is a probe that probes all your ports. If you are behind a router, your ports (as are mine) should be nice and secure. Windows Firewall (or any software firewall) just gets in the way, and if you have a somewhat anemic machine, will just slow it down.
In a public place (internet cafe, coffee house, airport, hospital) however, they are essential.
07 Jun 2012
Hi Bob, I explain the firewall this way. Imagine you lived in a house with hundreds of doors. That all were unlocked and anyone could enter through any door for any purpose. Without a firewall, your computer is open to others on the internet. Now imagine you lock all your doors, but unlock only except for known essential ones. Further, that you place a security guard on each of these so that mail only comes in the mail slot; visitors via the front door etc. A firewall acts in a similar way, only leaving designated doors (ports) available and checking that what comes in is what it is supposed to be. Is this a reasonable analogy?
EDITOR'S NOTE: Let's give those security guards a list of people who are allowed in and out, and it's a great analogy!
03 Jan 2013
Hello Bob, I have a question regarding ports and the windows firewall. The thing is I deleted said firewall via "sc delete SharedAccess", and now my p2p client tells me the listening port is blocked. Can I unblock it? Will this become an issue with other programs? Thanks for your time.
EDITOR'S NOTE: Sounds like a System Restore might get you back to good.
23 Jul 2013
Guitar Player -- I must step up and correct you. A hardware firewall is not designed to protect the software on the router. It is, in fact, designed to protect the connected systems behind the firewall.
Firewalls come with various features and security levels. From multi-layer proxy-based systems that will keep a gnat from going in or out undetected, to your low end consumer "firewalls" that do little more than hide your computer using nat. (sorry, couldn't resist the pun)
Regardless of how secure you need to be, the firewall is designed to isolate and protect your internal network from the untrusted network -- usually the Internet. If you have a hardware firewall, Bob is 100% correct in asserting that you do not need a software firewall.
What you are getting confused on is software security products -- often misrepresented as "firewalls". This type of software is geared toward protecting an individual computer. Some security software will focus on protection only from rogue software such as malware and viruses. Other software will additionally close down ports and inspect traffic trying to get in or out of your computer (thus acting like a firewall).
Some security software is a true firewall, with the ability to turn your computer / server into a router and protect all networked systems accessing the Internet through it.
19 Dec 2013
This subject is likely closed, however, I follow your every move so it would assist me to have a list of your security protection. As I only have a 60gig hard drive I would likely have to pick and choose with windows XP. Best regards, john.