Helping people with computers... one answer at a time.
A firewall is critical to keeping your internet-connected computer safe. We'll review what a firewall is and the two different types of firewalls.
I keep hearing the term 'firewall' and how I need one when I connect my computer to the internet. What's a firewall, why do I need one, and how do I set one up?
Many types of viruses and other types of malware can be prevented simply by using a good firewall.
In your car, a firewall is the "wall" of metal between you and the engine. Its purpose is to prevent engine fires from reaching you.
A firewall for your computer is much the same - the point is to keep you from getting burned.
Let's look at the two common types of firewall.
A firewall fundamentally protects your computer from network-based threats.
Almost all computers on the internet are under constant attack. Malware on other machines, hackers, bot-nets, and more are waging a slow but extremely persistent war, checking for any unprotected vulnerabilities on other internet-connected computers. If they find such a vulnerability, they then infect the machine that they've found or worse.
The basic concept of a firewall is very simple: it blocks or filters certain types of network traffic from ever reaching your computer.
Traffic that you want to reach your computer:
Websites pages that you visit
Software that you download
Music or videos that you might watch
Other traffic that you definitely don't want:
Your neighbor's machine infected with a botnet trying to connect to your machine over the network to spread the infection.
Overseas hackers trying to gain entry to your machine over the network to steal your personal information.
And more ...
A firewall knows the difference.
A router sitting between your computer and the internet is one of the most effective and cost-effective firewalls that the average computer use can have.
The router's job is to "route" data between the computers on your local area network and the internet.
Routers also allow you to share an internet connection by what's called "Network Address Translation". As it's more commonly referred to, NAT "translates" between your internet-facing IP address and the local IP addresses that have been assigned to your local machines by the router.
Routers then watch for connections initiated by your computer to resources out on the internet. When a connection is made, the router keeps track so that when a response comes back on that connection, it knows which of your local machines to send the data to.
The side effect is that if an outside computer tries to start a connection, the router doesn't know which computer to send it to. All it can do is ignore the attempt.
That effectively blocks everything on the internet from trying to start a connection to a machine on your local network.
And that makes your router a powerful incoming firewall.
Your router will not, however, filter outgoing traffic.
Software firewalls are programs that you install on your computer. They operate at a very low level - as close to the network interface as possible - and monitor all your network traffic. While all of the network traffic still technically reaches your machine, the firewall prevents malicious traffic from getting any further. Much like a router, a software firewall prevents the rest of your system from even realizing that there is any malicious traffic.
In addition, some software firewalls can often be configured to monitor outgoing traffic. If your machine becomes infected and some malware attempts to "phone home" by connecting to a known malicious site or tries to infect other machines on your network, a software firewall can often warn you and block the attempt.
All versions of Windows after XP have a software firewall built in and all versions after Windows XP SP2 have it turned on by default. Windows may even annoy you into ensuring that the firewall is either turned on or that you're aware of the risks in not having it turned on.
The Windows firewall is primarily an incoming-only firewall.
In general, I recommend using a broadband router as your firewall.
There is disagreement as some believe that an outgoing firewall is important. My position is that an outgoing firewall doesn't really protect, but it simply notifies after something bad has happened.
Routers are pretty common and nearly a requirement for anyone who has more than one computer sharing an internet connection. If you have a NAT router, you have a firewall without needing to burden each computer with additional software.
Software firewalls do make sense in a very important situation:
Software firewalls are critical when you can't trust other computers on your local network.
Don't trust the kids' ability to keep their computer safe from? Enable the software firewall on your computer.
Heading out to the local open WiFi hotspot? Turn on the Windows firewall immediately.
In later versions of Windows, the built-in firewall has matured to the point where it's actually quite reasonable to leave it on all the time, even if you're behind a router. It seems to impact operations very little and saves you from remembering to turn it on when you travel or have that not-so-trustworthy guest on your network.
The bad news is that a firewall can't protect you from everything. A firewall is focused on protecting you from threats that arrive via malicious connection attempts over the network. A firewall will not protect you from things that you invite onto your machine yourself, such as email, attachments, downloads, and removable hard drives.
Nonetheless, protecting from network remains critically important.
(This is an update to an article originally published May 14, 2004 and updated September 26, 2009.)