Helping people with computers... one answer at a time.
Zone Alarm is a popular firewall you install on your machine. If you also have a NAT router you may - or may not - need a firewall such as Zone Alarm.
I have a WinXP Pro PC behind a NAT router and am getting tired of Zone Alarm to the point where I think Zone Alarm is creating more problems than it solves. Some have suggested that I do not need a software firewall as long as I practice safe computing. Do you agree? And can you recommend a different free software firewall solution just to satisfy my paranoia?
•
As you've seen, there differing opinions on this. In reality it does, indeed, depend on how you use your system and how "safe" your safe computing really is.
It's also important to understand that there are a few things that a software firewall like Zone Alarm can do that NAT routers typically don't.
Let me tell you what I do, and you can draw your own conclusions.
•
My home network lives behind a NAT router, and my machines at home do not have a firewall installed, other than Windows XP's built-in firewall - which is turned off.
You can easily see which way I lean on this particular issue.
I have a complete suite of security tools in place, including anti-virus, anti-spyware, automatic updates, backups and the like. Both my wife and I religiously practice "safe computing" - we're both good at identifying suspicious attachments, for example, and don't download things that might be dangerous (or if we do, we do so in a very controlled manner).
The result is that over many years we've never experienced virus or significant spyware infection or related issue. That's not to say it won't happen some day, but so far what we have, and do, has proven to be quite adequate.
Note, though, that I said "at home". On occasion I do take my laptop out and connect to other networks - networks such as public hotspots, or networks over which I have no control and very little knowledge. In these cases I enable the Windows firewall.
There are important differences to note between NAT routers and firewalls such as Zone Alarm.
A NAT router, for example, can only prevent attempts to access your computer from outside of your LAN. That means that and problems already within your LAN are not abated, or detected, by the router. If you have an infected machine within your LAN behind your router, it can easily infect all the other machines on your LAN. If your machine is infected and connecting to the internet in unexpected ways, a router will detect, or stop it.
That's why the big emphasis on if you practice safe computing. If you avoid all of the other ways that viruses and spyware can arrive on your system (email and web downloads being the worst), then a NAT router will do its part in preventing network based attacks.
A software firewall running on each machine is naturally going to protect against many types of problems regardless of where they come from: other machines on your local network, or the internet. Now, like a NAT router, a software firewall cannot prevent infections from internet downloads and email attachments. However unlike a router, a software firewall can detect, and prevent, certain types of bad behavior - like a virus on your machine attempting to spread to others.
This "outbound" protection is both a blessing and a curse. The most common complaint that I get about Zone Alarm and similar products is that it alerts too often, and for benign and valid access of the internet. That's unfortunate, because when it alerts too often for all these "false positives", people start ignoring the alerts, or turn off the feature completely. When a real problem happens they're unable to distinguish it from the noise, and frequently ignore that as well.
Fortunately, I don't believe that's a terribly common situation, but it is annoying when it happens.
Now given your dislike of Zone Alarm, here's the kicker ... there are many free software firewalls (just search Google for "free firewall") - but the one that seems to fairly consistently bubble to the top of people's recommendations appears to be: Zone Alarm. Since I don't use one myself, I rely on those recommendations instead to guide people - but if you're not happy with Zone Alarm, there are many alternatives to try as well.
But personally, I'm quite happy with my NAT router, the Windows built in firewall as needed ... and a little common sense.
Article C2771 - August 27, 2006 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
June 6, 2007 8:39 PM
Hmmm, one thing I don't like about zonealarm is that when I start up Pangya, during that time it shows up the box then my Pangya hangs or can't login at all. Normally i would shut down zonealarm when I'm playing online, save the trouble of restarting my pc again.. -.-;
January 16, 2008 6:32 AM
It's a constant debate whether a router peforming NAT is just enough. From what I've heard and read, a software firewall will add an extra layer of protection, and block outbound traffic, your router is just going to do what comes in. Not what goes out. Overall, reading about firewalls and security I find very interesting. Windows Firewall at least in XP, lacks outbound protection. This is one of the cons of it. I've used ZA, Sygate, and one other firewall and ZA I've found myself coming back time and time again. It's easy to use and configure, and effective. You can get rid of the nagging alerts if you go to the alerts tab and choose off, program alerts will still be displayed. I admit ZA has gotten more bloated. It works well though and I highly recommend it. If your router does SPI, that's extra protection, again--no outbound protection on your router though. ZA free version is very configurable and you can get rid of the nagging alerts if you know how to press the correct buttons.
January 20, 2008 4:29 PM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The problem with outbound protection is that when it traps
something real, it's too late - you've got outbound bad
traffic because there's something bad on your machine. If
you don't have malware on your machine, then the outbound
warnings are just so much noise (that often serve to mask
anything valid that might come up anyway).
IMO inbound-only firewalls - particularly NAT routers - are
the way to go.
Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHk+dRCMEe9B/8oqERAo/7AJ9p15TtYlaqLb4+bK/41lyFMEA1BgCfd161
0E5iuyvAxgivEBf9gud6oaw=
=44t3
-----END PGP SIGNATURE-----
January 15, 2009 10:26 AM
I've had nothing but problems using software firewalls such as both the free zone alarm and the pay-for zone alarm pro, norton's firewall, sygate's firewall. I've done lots of port scanning using all those previously mentioned software firewalls and found that 1 or more of my ports were showing up as being closed which is not good. You actually want your ports to be a ghost...to be stealthed out like a black hole. I use NetGear's WGR614 v7 router alongside those previously mentioned firewalls such as norton and zone alarm and again I say the ports were closed. I had lots of problems with zone alarm and norton. I then removed them and decided to try Windows xp own firewall with my netgear router and found during the port scanning that my ports were now being shown as fully stealthed. I quit having problems using the combination of a netgear router and windows firewall. Scan your ports at https://www.grc.com/x/ne.dll?bh0bkyd2
November 25, 2009 12:41 PM
I removed Zonealarm because I thought my router would be all the protection I'd need. I ended up with a virus that e-mailed itself to EVERYONE in my address book, without my knowledge. Zonealarm would have caught this activity right away, and I'd have been able to deal with the infection before it had a chance to harass my contacts.
To this day, the guys at work have nick-named me " VirusBoy "...
•
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.