Helping people with computers... one answer at a time.

Firewalls are a critical component of keeping your machine safe on the internet. There are two basic types, but which is right for you?

I keep hearing about "firewalls" for my computer and that there are different types. Do I need one? If I do, what kind of firewall do I need?

The very short, very easy answer is: hell yes! Absolutely, positively you need a firewall.

With all that happens on the internet these days it's simply too risky to let your computer sit "naked" on the internet unless you really know what you're doing.

The real question is then: what do you need?

Heck, it's even possible you already are behind a firewall and don't need anything more.

Realize that a firewall is about protecting you and your computer from them where "them" means "the malicious folk on the internet".

A correctly configured incoming firewall does not block your access out to the internet. You should be able to browse the web, for example, without interruption. The firewall prevents access from somewhere on the internet to your computer. That's not to say people can't send you email; they can because you access your mail through the internet by going out to get it when you download it. It does mean that people can't copy files directly to your PC or cause programs to be run on your machine remotely.

"... it's simply too risky to let your computer sit 'naked' on the internet unless you really know what you're doing."

Step one is to check with your ISP. Some actually do provide a certain amount of firewalling. AOL, if I'm not mistaken, is a fairly good example: they've set up their own private network and internet access is tightly controlled. The good news is that you may be well-protected. The bad news is that you have no control over it.

Most ISPs, however, do not provide any kind of firewall. What you get from them is a direct connection to the internet. That gives you the most flexibility and control but it also places the burden of protection in your lap.

The next question is do you need a hardware firewall - an additional device you place between your computer and your internet connection - or a software-based firewall - a program that you install on your PC?

In my opinion, if you connect via broadband such as cable or DSL then there's no question at all: broadband routers are inexpensive and act as firewalls providing an exceptionally high level of protection quite literally right out of the box. They're typically easy to set up and also have the flexibility to be carefully configured for more advanced uses such as running a web server from behind your firewall. I like the hardware approach because the routers are devices dedicated to their task and do not interfere with - nor can they be compromised by - your computer. You can read more about routers and how I'd set up a home network. Remember, a router will work just fine even if you have only one computer.

If you are on dialup or have some other reason for not wanting to go the hardware route there are software firewalls as well. In fact, Windows XP, Vista and 7 all include one by default. Even if you do nothing else and you're not sure what you really want to do, you should simply make sure that the Windows Firewall is turned on. Check in the "Security Center" in Control Panel.

There are many other popular firewall packages, though I typically recommend against all-in-one "Internet Security Suites" as provided by many manufacturers. Instead, a dedicated firewall such as Comodo or others might be well worth investigating.

One of the biggest differences with software firewalls, particularly third party offerings is the ability to provide outbound protection. As I said above, a firewall's primary job is to protect your computer from internet based threats. However, if you've been compromised an outbound firewall will often prevent the attack from spreading from your computer to others, and will alert you when something suspicious has happened. While I don't typically view an outbound firewall as absolutely necessary, it's another part of the puzzle that's at least worth considering.

Finally, when you believe you're protected or even if you know you're not visit Gibson Research and run "Shields Up", a vulnerability analysis. It will try to access and analyze your computer from the internet and will list for you exactly how you are vulnerable. It tends to be a tad alarmist in its wording, and getting a perfect score is almost impossible, but it's valuable information to help you decide if you need to take additional steps.

(This is an update to an article originally published in March, 2004.)

Article C1911 - December 26, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

36 Comments
Jack
August 24, 2004 8:28 PM

Thanks Leo for your excellent site. I gain more here than many else.

I am now using Linksys wireless-B Broadband router (same as yours) for my home network. My question is: Do I still need firewall in my computer in addition to the in-built firewall function of the router. The latter in my understanding is via NAT.

Thanks a lot in advance.

Leo
August 24, 2004 9:33 PM

Depends on what you're doing, but in general, the answer's no ... the NAT firewall will do the trick.

It does for me.

Thanks!!

Felix
September 7, 2004 11:54 AM

I've found that while my firewall is up, I cannot post to some forums, nor register with some sites (like my local newspaper classifieds.) Can I turn it off for these functions and still be relatively safe?

Leo
September 7, 2004 7:44 PM

I'd find out what your firewall is blocking that's preventing those things from working, and then adjusting it to allow what you need. How for both will vary depending on what firewall you're using. Internet viruses can happen fairly quickly (people downloading patches have gotten reinfected faster than they can download), so I'm hesitant to recommend turning off the firewall completely.

Melinda
October 25, 2004 10:55 AM

My computer has a firewall from Windows Service Pack 2 and virus protection. My question is I just purchased an internet system with 5 protection programs, which includes a firewall and antivirus protection, Do I need this in addition to what I already have? or is it unnecessary.

Melinda
October 25, 2004 10:55 AM

My computer has a firewall from Windows Service Pack 2 and virus protection. My question is I just purchased an internet system with 5 protection programs, which includes a firewall and antivirus protection, Do I need this in addition to what I already have? or is it unnecessary.

sirigos
October 30, 2004 5:46 PM

Gibson Research is a fantastic free site everybody should use.
thanks for the tip

Shravanthi
October 3, 2005 10:21 AM

My computer has a Norton Personal Firewall installed. and the rediff bol application is not getting started because one of the ports is blocked because of the firewall. What do i do to make the application work without turning off the firewall.

Dan
October 22, 2005 8:00 AM

I use Sygate Personal Firewall, it is free and does an excellent job

Carmelia
February 1, 2006 10:05 AM

Dear Leo;
I am a soon to be foster parent of teen aged girls and I want to protect them from as many potential Internet related problems as possible, including chat rooms with unseemly types. What suggestions do you have for parents/foster parents with kids who want to use the Internet?
Ann

Leo
February 1, 2006 10:14 AM

That's a HUGE topic :-). I'll start you here, though: http://ask-leo.com/how_can_i_keep_my_kids_safe_from_internet_garbage.html

bob
February 13, 2006 5:13 PM

i just bought a new computer and when i went to the screen for my firewall, it was turned off. i turned it on and a friend told me i should turn it back off? what exactly is the firewall? i am not very smart when it comes to computers.

Leo
February 13, 2006 7:13 PM

You do need a firewall of some sort, so ask your friend why he said not to. The article you just commented on outlines my suggestions.

Suresh
May 15, 2006 3:09 AM

Hi Leo,

I have Windows 200 professional and Mcafee viruscan 7.1 on my laptop.I have been having my dial-up connection from AOL for about 2 weeks.I did one mistake.I did not update my latest dat file from NAI.com for the viruscan.During that period some virus has entered my system and diabled my task manager.Later I updated teh latest dat file.But still I started getting messages from virscan that a virus file SVCHOST.exe could not be deleted fro c:\winnt\svchost.exe.Then I found this file in that location was just 1 week old.I also found one more file in location c:\winnt\system32\svchost.exe old dated and also smaller in size.Then c:\winnt\system32\svchost.exe to c:\winnt\svchost.exe.The viruscan report stopped coming but now this exe keeps executing itself from c:\winnt\svchost.exe on a empty command window and finally I have got a message on my desktop showing high risk of spyware and some problem on RAM.Please let me know what should I do.I have my Windows ME factory edition for my laptop.Should I go ahead and install the OS.If I take a backup of data on split drive D do I have a chance of getting viruses from the backup.

Thanks,

Chamu

Faye
May 20, 2006 6:02 AM

I wanted to get back at my sister for sending me a lot of forwarded chain letters and other dumb stuff so I sent her a barrage of funny emails frm a certain site. It didn't end up the way I had planned as she had just put in a firewall(called firefox) on her comp,she said she couldn't access them,but one frm another site she could see. Why is that? Thanks for ur help!

S. Naqvi
September 22, 2006 12:59 PM

We have AOL's security system on our computer. My wife chose the computer check on AOL, and chose some option that keeps turning off our internet connection after a minute or so.

We have a router that our computer connects to. It has an IP address that the fire wall seems to reject, but allows initially.

If we go to Google, it allows us connection for a long time. But as soon as we try to go on Yahoo.com or msn.com or aol, then our internet connection gets interrupted. We have to disable and enable our connection again and again to connect for short periods of time.

Please Help.

brandy
November 23, 2006 8:38 PM

hey... i need a little help.. i cant seem to check my emails... i can get onto the hotmail.com website, and i can type in my email address and password.. but when i hit enter, it says page cannot be displayed. i personaly think that it is because of some kind of firewall. but i have no idea how to disable it. can you help me?

can you IM me on aim at gummybear52291 please???

thanks

deepak
January 27, 2007 12:23 AM

our office having intranet so there is some sites are blocked so how to use rediffbol bypassing the proxy..kindly let me know

Rln Zastovnik
February 5, 2008 5:13 PM

FIREWALL NOT NEEDED? Everyone says use a router/firewall when using DSL, cable, etc. I helped a friend with a new AT&T DSL account and insisted that he buy a router. So he purchased a Netgear router. During the setup, I was surprised to see that the modem was giving out a private 192.168.1.x address. Are they putting NAT firewalls in the modems now? None of the documentation mentioned that there was already a firewall. I installed the Netgear router anyway because I was not sure. Maybe he didn't need to buy the router? I still can't find any info about firewalls being included in DSL modems.
-Ron

Leo A. Notenboom
February 6, 2008 9:38 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have seen this, though as you've seen it;s hard to find
documentation on it. The DSL modem at my wife's business was
handing out 192. addresses just as you describe. This does
imply that it's doing NAT, and does imply that it is acting,
in some regard, as a firewall/router. And yes, that would be
sufficient.

And to clarify your lead-in statement, yes a firewall is
still neccessary - it just might already be in your modem.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHqfCTCMEe9B/8oqERAjlYAJ4+hsNrgAaELZ79CdeZc5Bol6NxVACgjpsi
CMtarYfrjPu/oQ0SnBr0JLY=
=9Rad
-----END PGP SIGNATURE-----

David Vogl
May 14, 2008 8:25 AM

Leo,
Lately, according to Zone Alarm I have NUMEROUS programs all trying to contact 192.198.0.198 and .1 and 224.0.0.22 which appear to come from Africa! At your suggestion on the air I bought a D-Link DIR-655 router and NOD32 AV. I deleted ZA as I thought you said all I needed was the router. I'm really worried "something" is on my computer despite complete scans by NOD32 and several other on line scan programs. Should I go back and install Zone Alarm again?
Am I in danger and should I worry?
Thanks, Leo,
David

David Vogl
May 14, 2008 8:29 AM

Leo, sorry, I can't type. That IP was 192.168.0.1 and 192.168.0.199 among others.

Ed
July 21, 2008 6:56 PM

I fix computers from time to time and I think some may have been hacked into. When I fix them I don't use my router with a firewall I just connect via my modem and after there repaired I hook my router back up.
So if the hacker can see my ip addy am I still safe since I put my router with firewall back up or should I use my router all the time even when I do repairs

matt Falkenstein
January 27, 2009 1:00 PM

Ok, I now know hard/soft firewall, router, hub, switch. Question.... our previous computer technician set up a brand new dedicated server and connected the server > modem > broadband. (we have a dental office with much private info.... 17 computer stations) Currently all the protection we have that I know of is Norton Anitvirus and whatever our broadband has. A new computer tech says, "NOT EVEN ADEQUATE" and recommends a hardware device for max protection (about $500). What is right?

Don Taber
December 29, 2009 9:43 AM

Agree with most of what you say in this article, but have a comment about the Comodo firewall. The Comodo firewall enjoys #1 ratings from many sources. I used it for several months, but ultimately uninstalled it. Why? It is annoyingly intrusive. It constantly pops up dialog boxes requiring you to allow or disallow one thing or other, even after going thru a long learning period. Its identification of what's trying to get in is almost always cryptic -- usually a file name that means nothing to me (and I help people fix software problems, so are pretty computer literate), and even less to most home computer users. I think it would be helpful to append the article to mention that Comodo is most useful for technically savvy users. Others will do just as well to use the free Windows firewall, even though it's unidirectional.

travel
December 29, 2009 11:08 AM

I have AOL and it does have its own firewall which I appreciate. Sometimes it does not allow me to go on a particular site, so I just use Firefox to get on. Not really a problem. I hope. Any concerns I should have?

Charles Tilley
December 29, 2009 12:36 PM

I don't see anything wrong with the one included with Windows 7. It's adequate for my purposes. On XP Pro, the firewall was fine as well. As long as you play safe computing (no porn sites, not accepting every free download that comes your way to place spyware onto your computer), you should be safe. If the Windows default firewall was no good, they'd be advising to get one.

James Nell
December 29, 2009 1:46 PM

Hi Leo
Believe it or not , My pc got a perfect score in all areas at Gibson Research
Happy new year for 2010
:-)

Color me impressed. Smile
Leo
30-Dec-2009

Colin Sedgwick
January 7, 2010 5:41 AM

Hi All,
A perfect score by Shields Up was achieved by Zone Alarm. You have complete control in and out. Free for private use. A little annoying but you are notified if programs change as well. Simple but effective. A firewall should never be turned off and a hardware and software firewall in tandem is the most secure. There is no conflict between the two. I have used a Router/software firewall combination with AVG on XP for years with no infections even on the most dangerous websites. Keep up the good work Leo.

Brian
January 14, 2010 8:57 PM

If you don't have file sharing turned on, and you know the things to avoid on internet such as popups, then I fail to see the justification for a firewall. This seems to me to be one of those forms of brainwashing that's occured in the computer world where due to typical user stupidity, people are absolutely convinced that this is therefore their "internet condom". Can you provide any more plausible/logical reason on *why* this is even helpful if you know your way around a pc backwards-and-forwards?

There have been vulnerabilities - both as bugs and as configuration choices - in network-facing protocols other than file sharing that have allowed malware to infect a system not protected by a firewall - even for systems owned by people who claim to know their way around a computer backwards and forwards.
Leo
15-Jan-2010

Gamer
February 9, 2010 11:47 AM

I got a perfect score! Thanks for the info Leo. I really appreciate it!

Jeff Hill
March 9, 2010 9:03 AM

First, there is never a good reason to NOT have a firewall! Just have a look at a typical log file to see the type and frequency of attacks that are being blocked, typically against ports for services you may not even know are running on your PC (this is where "shields UP" can help).

Your consumer-grade router is probably adequate for home use, and as noted by others usually also provides a DHCP server. See if it has "stealth mode", and if it does, be sure it's turned on.

If you have business assets to protect, however, a dedicated firewall appliance gives you more control, better logging and alerts, etc. I use a SonicWall TZ-100 on my server's DSL, and a LinkSys router on my BrightHouse home network.

Running a software firewall behind a hardware firewall probably won't help you, and will probably degrade performance. Plus, if you've had to do any significant configuration for outbound services you'll have to remember to make any changes to both firewalls.

If you live behind a firewall don't get complacent: be sure to turn the software firewall back on whenever you use a "Public" network (hotel, airport, etc.).

R.
August 1, 2010 3:35 PM

The best free firewall programs that I've used are Comodo and Zone Alarm. Each has it's pros and cons along with the learning curve for you and the software. I prefer Zone Alarm because I feel it's a tad more user-friendly. To sum it up, if you're a responsible surfer and you keep your system up to date then using either of these will just be some additional security.

BTW, I've always recevied a perfect score from Gibson when I scanned my system.Either the test is missing something or my security is decent.

Terri McNulty
November 6, 2010 6:16 AM

I scored perfect as well. I do not see the need for a software firewall and was quite pleased to find this article which makes the points that I have been telling people for a very long time. A router, for most people, will suffice. Thank you, Leo, for backing up those of us who tell others, "If you want your computer protected, put it behind a router."

Gwyn
December 14, 2011 8:45 AM

Is a BT Home Hub (which I have) the same as and/or as good as a router?

I'm not famliar with the BT Home Hub, so you'll need to check with the provider to see if it's really a router. If it's truly a "hub", then no, it does not do what you need.
Leo
14-Dec-2011
Gwyn
December 14, 2011 12:14 PM

Thanks Leo. I've just checked, and Wikipedia describe the BT Home Hub as a " wireless residential gateway router". I've also re-read your article about hubs, switches and routers, so I think it's a bit odd that BT should describe it as a "hub", when they could describe it, it seems, as a more powerful/secure "router".

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.