Helping people with computers... one answer at a time.

A router is an important tool in staying safe when connected to the internet. A router will stop certain types of viruses and malware ... but not all.

I have FIOS which includes an Action Tec router/switch combo device. The router's security is at factory defaults. Is it possible for a virus/spyware to jump across the switch? I just found exceptions that other programs put there without my knowledge. Skype, Google earth. I do not remember these programs asking me the make exceptions. I just turned all exceptions off. An IT guy thinks so, I always thought the answer was no.

The short answer is: Yes.

The longer answer is more involved, and involves the differences between a router and a switch, how a router protects you, software that's makes changes to your router without asking, and ultimately different kinds of viruses and malware and which a router can and cannot protect you against.

Switch versus Router

First, I think we should clear up some terminology.

  • A router is an intelligent device - meaning it's running some fairly sophisticated software. It looks at the data packets that are traversing across it and modifies the routing information within the packets to control how they are routed from point A to point B.

  • A switch is a not-so-intelligent device that also looks at the packets that traverse it, but doesn't modify anything. Instead it learns which IP addresses are on which of its physical connections. Its job is simply to make sure that packets that come in destined for a particular IP address are sent to the correct physical connection on which that IP address lives.

"... a router configured properly will protect you from a very important threat."

I suspect that you're using the term "switch" as synonymous with "router", since it's one box in your case. Technically that's incorrect, and when they're combined like that it's probably best just to refer to it as a router.

The real point, however, is that a switch provides no protection; it's the router that does that.

How a Router Protects You

Or, more specifically, how a NAT router protects you.

NAT, or network address translation, is how a router lets you connect several different computers on your local network to a single internet connection that uses a single internet IP address.

Computers on your local LAN are assigned local IP addresses by the router - usually of the form or similar. When your computer connects to an internet resource the router sees that outgoing packet and changes the local IP to the internet IP address assigned to your internet connection. When the response comes back the router does the reverse, routing the response back to the correct computer on your network.

Now, this only works for outbound connections - meaning a connection to an internet resource that one of the local computers initiates. If an unrequested attempt is made to connect to your internet IP address - the router has no idea what computer to send it to, so it's ignored.

That's the protection that a router provides: any attempts to connect from computers on the internet to your computer are blocked.

And there's a huge class of malware that tries to spread exactly that way - by trying to connect directly to your computer.

If you've got a router, you're protected.

Except, maybe...

Software That Reconfigures Your Router

As you can imagine there are sometimes scenarios where you actually want to be able to initiate a connection to your computer from the internet. Most routers support this, but you must manually configure the exception to the "everything's blocked" rule.

What's called "port forwarding" allows you to tell the router "if a connection comes in on this port (the way types of connections are defined), send it to this computer".

Something called "Universal Plug and Play" (UPNP) also allows software to make router configurations "for you", without asking.

I'm guessing that's exactly what Skype and Google Earth did.

UPNP is a security risk, because malware on your machine could also just as easily use it to make changes to your router's configuration and remove much of the security that you so carefully put in place.

Turning off those exceptions was the right thing to do. I also recommend turning off UPNP on the router completely.

Wait ... "malware on your machine"? But didn't the router stop all malware?

No. The router stops a certain type of malware; an important type of malware. But it doesn't stop all malware.

Malware Routers Don't Protect Against

A properly configured router will prevent unsolicited connections from computers on the internet from reaching your machine.

A router cannot protect you against:

  • Malware you download

  • Malware in email attachments that you open

  • Websites that you visit that install malware on your system

  • Malware that arrives on other media, like USB drives

  • ... and probably more.

The bottom line: a router configured properly will protect you from a very important threat. Without a firewall or router protecting you against this threat you are at serious risk.

But a router (or a firewall) cannot protect you from all of the many other ways that malware can reach your machine.

Article C4679 - December 12, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

December 14, 2010 12:22 PM

I read the article on routers which included a discussion on firewalls. I have a stand alone IMac current version. No Router but the Mac comes with a firewall. I have checked off "block all connections"
My wireless stuff is turned off also. I'm I ok?

December 14, 2010 8:03 PM

Good story. I would really like to see at least one additional point made. When you install a router, one of the first steps in "Properly Configuring" it is to change the default admin userid and password. The defaults for all the brand names is easily available on the internet. If you don't change the defaults, it is brain-dead easy for the "bad guys" to identify your router and take it over.

Robert: you have taken a couple of good steps, so you are in better shape than most people, but would be in much better shape with the addition of a standalone router. It is only $30-50, plug it in take 5 minutes to set it up and forget it. You will pay much more than that in time and effort when your machine is infected. Just because you run a MAC no longer means you are automatically safe.

Actually the related article on securing a router does exactly this.

December 15, 2010 7:41 AM

Thanks Ron for that advise. If willing give me a recommendation on that router.

I'm a low level user, but I've been running Windows since what 3.0. Finally went Mac in 2/10.

I've assume that one thing that helps the Linux platform over MSFT is that it the pc has no registry to attack plus all the other intertwined stuff?

Thanks again

Keith Griffiths
December 15, 2010 10:14 AM

I have a file on a usb which contains my bank details. Presently I switch off the router and load this file from the usb, work on it, disconnect the usb and switch on the router.

This is a bit tiresome. I have Avira and Threatfire protection.

If I leave the file on the computer itself, will the software listed above and the router protect me from anyone on the Internet entering my computer and reading my files?

Turning off your router isn't really helping - if there's malware on your machine it could collect the data and then send it once you reconnect. I don't really see a lot of value in the process you're taking. I'd simply ensure you haev good malware protection, a firewall, strong passwords, and practice good safety habits in general (no untrusted downloads or attachments, no visiting bad web sites, that kind of thing).

Morpheus Exegis
January 4, 2012 9:02 AM

@ Keith
if you are that worried about you files you should probably have a high end firewall setup and be monitoring what applications are connecting to the internet. Leaving it on your computer is a good start but encrypt the file for additional protection and ensure no processes on your computer are connecting to Internet when they are not supposed to. with basic safeguards you can protect yourself from 99% of the internet the other 1% can probably bypass anything you throw in their way but will likely never be interested in you enough to warrant their attention. Also paranoia can lead to excessive stress just basics like monitoring Internet connections and encryption will keep your files and computer safe. Avira and Threatfire are steps in the right direction and can help you monitor your computer.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.