Helping people with computers... one answer at a time.
Firewalls are a critical component of keeping your machine safe on the internet. There are two basic types, but which is right for you?
I keep hearing about "firewalls" for my computer and that there are different types. Do I need one? If I do, what kind of firewall do I need?
•
The very short, very easy answer is: hell yes! Absolutely, positively you need a firewall.
With all that happens on the internet these days it's simply too risky to let your computer sit "naked" on the internet unless you really know what you're doing.
The real question is then: what do you need?
Heck, it's even possible you already are behind a firewall and don't need anything more.
•
Realize that a firewall is about protecting you and your computer from them where "them" means "the malicious folk on the internet".
A correctly configured incoming firewall does not block your access out to the internet. You should be able to browse the web, for example, without interruption. The firewall prevents access from somewhere on the internet to your computer. That's not to say people can't send you email; they can because you access your mail through the internet by going out to get it when you download it. It does mean that people can't copy files directly to your PC or cause programs to be run on your machine remotely.
Step one is to check with your ISP. Some actually do provide a certain amount of firewalling. AOL, if I'm not mistaken, is a fairly good example: they've set up their own private network and internet access is tightly controlled. The good news is that you may be well-protected. The bad news is that you have no control over it.
Most ISPs, however, do not provide any kind of firewall. What you get from them is a direct connection to the internet. That gives you the most flexibility and control but it also places the burden of protection in your lap.
The next question is do you need a hardware firewall - an additional device you place between your computer and your internet connection - or a software-based firewall - a program that you install on your PC?
In my opinion, if you connect via broadband such as cable or DSL then there's no question at all: broadband routers are inexpensive and act as firewalls providing an exceptionally high level of protection quite literally right out of the box. They're typically easy to set up and also have the flexibility to be carefully configured for more advanced uses such as running a web server from behind your firewall. I like the hardware approach because the routers are devices dedicated to their task and do not interfere with - nor can they be compromised by - your computer. You can read more about routers and how I'd set up a home network. Remember, a router will work just fine even if you have only one computer.
If you are on dialup or have some other reason for not wanting to go the hardware route there are software firewalls as well. In fact, Windows XP, Vista and 7 all include one by default. Even if you do nothing else and you're not sure what you really want to do, you should simply make sure that the Windows Firewall is turned on. Check in the "Security Center" in Control Panel.
There are many other popular firewall packages, though I typically recommend against all-in-one "Internet Security Suites" as provided by many manufacturers. Instead, a dedicated firewall such as Comodo or others might be well worth investigating.
One of the biggest differences with software firewalls, particularly third party offerings is the ability to provide outbound protection. As I said above, a firewall's primary job is to protect your computer from internet based threats. However, if you've been compromised an outbound firewall will often prevent the attack from spreading from your computer to others, and will alert you when something suspicious has happened. While I don't typically view an outbound firewall as absolutely necessary, it's another part of the puzzle that's at least worth considering.
Finally, when you believe you're protected or even if you know you're not visit Gibson Research and run "Shields Up", a vulnerability analysis. It will try to access and analyze your computer from the internet and will list for you exactly how you are vulnerable. It tends to be a tad alarmist in its wording, and getting a perfect score is almost impossible, but it's valuable information to help you decide if you need to take additional steps.
(This is an update to an article originally published in March, 2004.)
Article C1911 - December 26, 2009 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
March 9, 2010 9:03 AM
First, there is never a good reason to NOT have a firewall! Just have a look at a typical log file to see the type and frequency of attacks that are being blocked, typically against ports for services you may not even know are running on your PC (this is where "shields UP" can help).
Your consumer-grade router is probably adequate for home use, and as noted by others usually also provides a DHCP server. See if it has "stealth mode", and if it does, be sure it's turned on.
If you have business assets to protect, however, a dedicated firewall appliance gives you more control, better logging and alerts, etc. I use a SonicWall TZ-100 on my server's DSL, and a LinkSys router on my BrightHouse home network.
Running a software firewall behind a hardware firewall probably won't help you, and will probably degrade performance. Plus, if you've had to do any significant configuration for outbound services you'll have to remember to make any changes to both firewalls.
If you live behind a firewall don't get complacent: be sure to turn the software firewall back on whenever you use a "Public" network (hotel, airport, etc.).
August 1, 2010 3:35 PM
The best free firewall programs that I've used are Comodo and Zone Alarm. Each has it's pros and cons along with the learning curve for you and the software. I prefer Zone Alarm because I feel it's a tad more user-friendly. To sum it up, if you're a responsible surfer and you keep your system up to date then using either of these will just be some additional security.
BTW, I've always recevied a perfect score from Gibson when I scanned my system.Either the test is missing something or my security is decent.
November 6, 2010 6:16 AM
I scored perfect as well. I do not see the need for a software firewall and was quite pleased to find this article which makes the points that I have been telling people for a very long time. A router, for most people, will suffice. Thank you, Leo, for backing up those of us who tell others, "If you want your computer protected, put it behind a router."
December 14, 2011 8:45 AM
Is a BT Home Hub (which I have) the same as and/or as good as a router?
14-Dec-2011
December 14, 2011 12:14 PM
Thanks Leo. I've just checked, and Wikipedia describe the BT Home Hub as a " wireless residential gateway router". I've also re-read your article about hubs, switches and routers, so I think it's a bit odd that BT should describe it as a "hub", when they could describe it, it seems, as a more powerful/secure "router".
•
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.