Helping people with computers... one answer at a time.

You do need a firewall and particularly if you aren't behind a router the Windows Firewall is one option.

I'm really confused. With the new Windows XP SP2 Security Alert System, do we still need a firewall to stop outbound traffic? If we get a router, (LINKSYS), does that take care of everything, which means we need to disable Windows Firewall to avoid false alarms?

There's a lot of misunderstanding about firewalls, routers, and other security software. When Windows XP service pack two was released it definitely put security and particularly the firewall, "in your face". Subsequent releases of Windows now also include the firewall and turn it on by default.

It's a great opportunity to find out what you need ... and what you don't need.

A firewall filters network traffic. A previous article "What's a firewall, and how do I set one up?" covers this in more detail, but the bottom line is that a firewall primarily protects you from certain classes of incoming network-based problems.

"If you're not behind a router or other firewall, you'll want to turn on the Windows firewall."

Every computer should be behind a firewall of some sort.

In general, hardware firewalls, typically provided by NAT routers, keep malicious network traffic from ever reaching your computer, whereas software firewalls, such as the Windows Firewall, discard malicious traffic after it has actually arrived at your computer.

But you don't need both.

If you have a router with network address translation, or NAT, enabled (most consumer grade routers do, by default) then there's no need to enable the Windows firewall. In fact, you can tell the new Windows Security Center that you'll manage your firewall yourself.

If you're not behind a router or other firewall, you'll at least want to turn on the Windows firewall. This is what I do when I take my laptop with me on the road - not being sure of exactly what I'm connecting to, the firewall protects me from network based threats.

Now, one word in the original question is worth a comment: "outbound".

Consumer grade routers will keep you safe from threats that are incoming from the network, but will not filter or warn you of any malware already on your machine attempting to connect out. The Windows firewall has a limited amount of outbound traffic alerts, and other software firewalls that you can install separately to use instead of the Windows Firewall can be configured with a wide array of outgoing protection.

There's a wide variety of opinion on this, but personally, I'm quite happy simply behind a router and with no outgoing threat monitoring.

But regardless, you do need a firewall; be it an external router, a software package that you install, or at a minimum simply enabling the Windows Firewall already present on your machine.

(This is an update to an article originally published in September of 2004.)

Article C2186 - February 21, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

43 Comments
Anonymous
September 14, 2004 6:26 PM

Dear Leo:

Thanks for the great info. Now I have a better understanding of what a router and Windows XP Firewall will and will not do.

Armed with this information, I will now activiate my new Wireless-G Broadband Router (802.11g) and disable my Windows Firewall. Or, as you stated...(notify Windows Security that I will manage my own firewall).

I will add Zone Alarm for Outbound protection, as there are always programs, at one time or another, asking for Internet Connection.

Once again, thank you for taking the time to shed some light on this problem...I hope it will help others that have had the same questions, but didn't know who to ask.

It couldn't get any clearer than this!!!

Chastity Benefits
September 15, 2004 5:18 AM

Please don't install ALARMinglyunfriendlysoftware like ZoneALARM. Instead use either the free Outpost or Outpost Pro from agnitum

http://agnitum.com

Unlike ZoneAlarm, if you decide you uninstall Outpost you will be able to try other firewall packages, and your operating system will continue to function as you would expect.

Larry Osterman
September 15, 2004 9:55 AM

The problem with not having a firewall enabled on machines behind a hardware firewall is this leads to what's called M&M security - a hard crunchy outside, but a soft, chewy inside.

If someone gets behind your hardware firewall with an infected machine, then your entire network is vulnerable. This isn't a big deal if you've got one machine on a DSL connection - the hardware firewall does a great job of handling this.

On the other hand if you've got a wireless network (especially an unprotected wireless network), anyone bringing an infected machine near your wireless network might compromise the machines behind the firewall.

So Leo's comment is totally accurate for 90% of the users out there. But the caveats will bite you if you're not careful.

Tracy Eckels
September 18, 2004 12:58 AM

This is the same advice that I give out with the addition of the fact that I favor actually purchasing a router with NAT protection, than purchasing firewall software. Of course this applies to broadband users but the benifit is that for a little added expense you get far superior protection that never needs updating, and has absolutely no effect on your computers performance.
A software firewall will after a while begin to slow your system since it has to activly remember every connection that is "allowed" on the PC and block those that aren't allowed in addition monitoring the connection for common threats. This uses a lot of system resources.
NAT (Network Address Translation) simply hides your computer from the network making it invulnerable from attack. Worth every penny. I've even suggested to Linksys that they manufacture and market standalone NAT devices that people can install between their DSL modem and phone line connection. They would rake it in!

Michael
September 20, 2004 10:11 PM

As someone on the front lines of dealing with the influx of Spyware/Malware. You can't do enough in protecting your system from these old and new threats, especially if you have a DSL/Broadband connection. You can become infected by just going to a wrong website. I recommend a Nat based Firewall, Norton Internet Security 2005 and Spysweeper (It will catch the spyware ) and make sure you enable the popup blocker in IE (WinXP sp2 installs one in IE )oh and last but not least Keep Windows XP updated through Windows Update. Happy Surfing.

DR. MILES E. STONE, M.D.
September 22, 2004 2:16 AM

Hi,
I have a befsr41 Linksys router, avg anti virus updated daily, spybot, adaware, spywareblaster and system mechanic. Do I need to download sp2 at all?? I have been able to kill and or block all viruses, trojans, worms, and spyware for 1 year with current updates of all defensive utilities. Isn't that enough? Or must I get sp2 so I can be ready for receiving further , later on updates that may need sp2 to be installed? Thank you,
Sincerely,
Miles

Leo
September 22, 2004 9:09 AM

Sounds like you really have your act together, that's great.

A couple of things: SP2 has more fixes than just the security stuff that is getting all the press. And, as you've already guessed, it's likely that some future updates, or even some future applications, will require SP2 already be installed.

But given your track record, I'd be ok waiting to install it until you actually ran across a need.

Elton Brown
September 26, 2004 11:08 AM

Can I have the Windows XP2 firewall on AND continue using my router?

Leo
September 27, 2004 6:08 PM

Sure. You can run with both firewalls enabled.

Andrew
September 27, 2004 6:25 PM

I would like to take issue with your article "So Do I Need SP2s Windows Firewall Or Not?
".
You state that if you are behind a firewall or NAT, that you dont need a firewall, and that an "outbound" firewall is not required.
You obviously live on some other world wide web my friend.
Consider this scenario:
In your wisdom you visit some suspect web sites,and some spyware is unknowing installed on your PC.
The next time you connect to the web, the spyware "phones home" with all your bank and credit card details.

If an outbound firewall were in operation, you would be asked if you want to allow "program X" to connect to the internet, choosing NO prevents the phone home action, choosing YES allows it to happen. Without an outbound firewall in place this prompt for connection does not happen and you are blissfully unaware of the activity your pc has just performed. Whether or not you are behind a firewall or NAT is irrelevant in this case, as the activity has been initiated FROM YOUR END OF THE CONNECTION.
As there is NO WAY to categorically prevent your pc from this type of infection, the absence of an outbound firewall is a licence to print money for the spyware makers.

Andrew Curtis

err101
October 19, 2004 10:09 PM

I would like to add that a good dose of common sense will protect you too. Having credit card numbers, social security numbers, ect. laying around on your PC is not very smart. Spyware looks through your computer the same way people look through your garbage. Keeping it void of critical personal data is the 100% way of preventing theft.

JOSEPH TURNER
October 25, 2004 7:57 PM

I HAVE WINDOWS XP SERVICE PACK 2,I HAVE NORTON INTERNET SECURITY,WHEN I TURN MY NORTON INTERNET SECURITY ON I AM NOT ABLE TO GET ON THE INTERNET.IS IT OK TO JUST HAVE MY FIREWALL IN THE XP SERVICE PACK 2 ON OR SHOULD I HAVE BOTH OF THEM ON,IS THEIR A WAY I CAN HAVE BOTH OF THEM ON.PLEASE REPLY A.S.A.P.

Leo
October 27, 2004 4:43 AM

You only need one or the other.

Travis McGuire
November 1, 2004 5:55 AM

For most users, I recommend both a hardware (router) and software firewall, especially if you have kids. WinXP SP2 works great. If you don't have WinXP use Sygate, it also works very well. I also recommend not using Outlook or Outlook Express, because they execute code unwillingly. Use Eudora or another free email client and don't use Internet Explorer, but using something like Firefox. The more of these you change to, the least likely you are to get malicous spyware and viruses.

Leo
November 1, 2004 8:48 AM

I agree with pretty much everything you've said, but one clarification: current versions of Outlook and Outlook express do not execute code "unwillingly" by default. The standard behaviour is actually pretty safe these days.

Steve0
July 31, 2005 1:48 PM

In my humble opinion if you are behind a router then a software firewall is more hassle than it is worth. Why? Because no software can distinguish between connections you want to make and connections you don’t. Sure you can configure it, but you can’t for every eventuality. And yeah it offers a dialog box asking you to allow or deny connection requests, but I would bet that most people simply select the same option every time, whichever they feel more comfortable with, without understanding what made the request and why it was made.

My tact is to install spy ware and virus removers. If you can trust all the software on your computer then there is no reason to ever ‘deny’ any outbound connections. Prevention is better than the cure, right?

STEF
September 15, 2005 3:38 PM

is it true that the more firewalls you have the better of when you install one the other gets disabled.

Leo
September 15, 2005 4:42 PM

One firewall active at a time is all I recommend. More than that, and things can often get confused.

dave
December 5, 2005 10:10 PM

hi i have windows xp from about a year ago and just had to reinstall. I was just wondering is sp2 necessary and if so how should i get it. I dont have the disc, and ive downloaded it off the internet but i think ive picked something up both times ive tried it.(my computer takes forever to shut off after downloading it twice now)I dont know if theres a safe place to get it. can i just do my automatic updates and get it that way.

Leo
December 15, 2005 9:02 PM

Automatic updates should be fine.

Brian
February 6, 2006 6:56 PM

If I have to allow xp firewall to be uninstalled where do I go to to reinstall it?

Leo
February 6, 2006 7:10 PM

I don't believe it CAN be uninstalled. You can go to the security center in Control Panel to turn it on, if it was simply turned off.

Paul
February 26, 2006 6:38 AM

If you are using a router with NAT(Network Address Translation)enabled then you do not need a software firewall. This is because any potential hacker 'probing' your network will only 'see' the router which, of course, does not hold any valuable information. NAT allows the router to change the ip address header of any data packets sent from your p.c. Instead of the ip address of your p.c. the packet is sent out with the ip address of the router itself. Therefore when a hacker 'probes' your network looking for a reply from your p.c. all he gets is a reply from the router. In effect your p.c. is 'hidden' behind the router.
If your p.c. is not behind a router then you most definately DO need a software firewall. However, if you do use a NAT enabled router then software firewalls are not necessary.

Edard Ludi
March 10, 2006 5:04 AM

Is it safe to use Limeware music download? is it safe for my computer?

Thank You,

Edward Ldu

blackdahlia
March 10, 2006 11:27 AM

This comment is for Edward who asked if it is safe to download from Limewire. It's safe just make sure you have a good antivirus program and you scan everything you download before you run it. Be extra careful if you download software because a large percentage of the software downloads on Limewire are viruses, worms or trojans.

Martin
March 16, 2006 4:52 PM

I believe running a software firewall remains prudent even behind a NAT Router. This is particularly true if you let (either deliberately or accidentally) untrusted machines onto your network. Once an untrusted machine is on your network they can infect you directly and you (and the NAT Router) will never know it happened.

There are many ways that this can happen...

1. The majority of casual computer users do not know how to secure a wireless network and an unsecured wireless network is an open invitation for unwanted guests. (At my previous home I could see three unsecured networks that remained unsecured even after repeated offers to help them get secure).

2. Perhaps you invite guests onto your network, e.g. friends for LAN gaming.

3. You have untrustworthy users with their own machines on your network, for example, teenagers who P2P and lack the skills to prevent 'accidents'.

4. Even a skilled user can be caught out if they offer to 'fix' a friends computer and connect it to their LAN without thinking.

5. A mobile machine may pick up an infection elsewhere and bring it home to behind the NAT Router.

etc.

gonwwith the wind
March 31, 2006 6:46 AM

If your Notebook or Desktop Computer contains or is "likely" to have a Wireless Card connected to it (With USB ports I would say this is Mandatory), you do need a good Software Firewall to stop possible Wireless Intrusion directly into your LAN.

A Router ***will not Block*** this traffic!

Dan B
October 21, 2007 4:46 PM

Is there a way to make the software firewall of my laptop automaticaly activate when using other/public network(ie: not on home network) AND deactivate when I'm on my home network(has a router and I trust my LAN) ?

angeln
January 27, 2008 3:28 PM

Yes, i have installed sp2 on my computer, ever since then i have had troube with my boot up. I dont know what has caused this, cause i have reinstalled windows xp before no problem with sp2, but now i am having boot up problems. And i am unable to use my zone alarm without this sp2. Is there any other firewalls i can use other zone alarm without having to use sp2???

Brian Wadsworth
November 17, 2008 5:39 PM

I have windows firewall enabled on my laptop. I also have Mcafee anti virus installed which also has firewall enabled. I was told that more than 1 firewall can conflict with each other. Which one do I need or is preferred?

Typically the when you get an additional firewall the Windows built-in firewall is the first one you turn off.
- Leo
18-Nov-2008

John D Butler, FSS
February 23, 2010 8:25 AM

I have many, many years of IT experience starting with Rand and my watch word is
"Better Safe than Sorry" So even though a user may be behind a hardware firewall I always recommend enabling the XP firewall + a good anti-virus application and an antiMalware add-in

MmeMoxie
February 23, 2010 9:41 AM

Excellent topic & extremely important.

I use my Wireless Router's Firewall & have been since I got it, in 2006. I also, use aVast! Free Version Anti-Virus program. Between the both, I have been quite 'secure'. I also use CCleaner, as well as IOBit's Advanced SystemCare Pro, to 'clean up' Internet surfings. I don't use Windows Firewall anymore, because I found that it interfered with my router's firewall, right from the start. Sometimes, having too much of the same thing, is not good for your computer. One very good Firewall and One very good Anti-Virus program is more important, than a slew of them.

Do I get infected? On occasion, something will try to come through in my emails, but aVast! does stop them. Yes, even the Free Version stops them, plus it updates automatically, when new data comes in. The Free Version also, checks all of my downloads, to make sure they are virus, Trojan horse, so on and so forth, free.

I also, periodically check at www.grc.com & use Gibson's Shields Up program, to check that my first 1056 Port Settings are 'Stealth'. I personally have been using Shields Up since Gibson created this program & always use this site to check all the computers that I repair or build.

P. MACK
February 23, 2010 9:41 AM

I remember I once had a version of Windows XP that
had the firewall defauled to 'off'. So I turned it on. Immediately I had problems. I couldn't even get onto the net. So I'm thinking, that is a really effective firewall. There is no way I'm going to be spreading viruses but of course I could get the same effect by shutting the computer off couldn't I?

Ray Wilkes
February 23, 2010 1:33 PM

When I used Windows OneCare it used to tell me in a monthly report that it had stopped hundreds of intrusions. Once I had a router it reported zero per month! That says something about hardware firewalls. I now use Micrsoft Security Essentials which is the quietist AV ever. But in this thread:
it may imply MSE specificallyneeds Windows Firewall . Perhaps Leo, you could plough through this thread and summarise it. I am certainly convinced it is best to use free security, and now I would choose Microsoft, and spend the money on a router even if I only had one computer.

Florence
February 23, 2010 9:49 PM

I'm kinda new at this stuff but I used to be able to get pogo games and now I cant. My computer crashed on me and when I got my things back, now I cant get my games. ait keeps telling me there is a spyware or some thing blocking me from opening. Is my firewall stoping me or is my antivirus stoping me?

GrimReaper445
February 25, 2010 12:21 AM

Your happy behind a firewall that doesn't monitor outbound connections?? I find that strange, haven't you ever used or seen a meterpreter session at work using the reverse_tcp payload?

Sandy Smih
February 25, 2010 6:41 PM

I have a Linksys router - And I have Norton 360 which also has a firewall. So how come Norton 360 at the end of every month says it stopped certain incoming threats? Does that mean those threats got through the router firewall as well as Norton's own firewall? Makes me wonder how good my "firewalls" are?

Hard to say with Norton, I'd have to see the specifics of what it blocked. It also could be blocking "threats" (sometimes false positives) from other computers on your network.
Leo
26-Feb-2010

Sandy Smith
February 27, 2010 8:55 PM

Thanks for answering! It is from enabling "Intrusion Prevention" I just got my monthly report from Norton and there were 122 attempts against my computer this month. Here is what Norton said Intrusion Prevention is:

Intrusion Prevention scans all the network traffic that enters and exits your computer and compares this information against a set of attack signatures. Attack signatures contain the information that identifies an attacker's attempt to exploit a known operating system or program vulnerability. If the information matches an attack signature, Intrusion Prevention automatically discards the packet and breaks the connection with the computer that sent the data.

Just thought I'd pass it along...

Sandy

senthil
January 21, 2011 9:53 AM

why i should turn off the fire wall ... pls tell me reson

Please read the article you just commented on. It answers this question.
Leo
26-Dec-2010

Dyan Lee
April 6, 2011 8:12 AM

When my windows 7 firewall is enabled/on, my Web site, which is hosted by a Web hosting company, doesn't go through. When the firewall is disabled, my site works fine. How can I fix this? Should I leave the firewall disabled? Thank you

Unfortunately there are too many variables that you haven't specified - like the web site, the hosting company and what errors result. I'd contact your hosting company for assistance.
Leo
10-Apr-2011

Mukz
January 5, 2012 6:06 AM

If I switch off my Firewall for a few hours, will I be safe from hackers?

Mark J
January 5, 2012 9:15 AM

@Mukz
It depends if you are behind a router. If you are behind a router your are behind a firewall. If not, even a few minutes can be dangerous without a software firewall.
What are these access attempts in my router log?

Johnny
March 7, 2012 12:12 PM

Thanks for detailed explanation. A very useful article !

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.