Yes. You need a firewall. It’s simply too risky to let your computer sit “naked” on the internet unless you really know what you’re doing.
The good news is, you probably already have one and don’t need to do a thing. Heck, you probably have two.
Become a Patron of Ask Leo! and go ad-free!
A firewall protects you from uninvited outside connections reaching your computer over the internet. This protects you from network-based malware. There are both hardware and software firewalls. Your router acts as a firewall, and the Windows 10 firewall is on by default. Together, they’re probably all you need.
What’s a firewall?
Firewalls defend against a class of network-based threat constantly (yes, constantly) attempting to attack your computer. Those threats are stopped cold by a firewall.
In your car, a firewall is the “wall” of metal between you and the engine. Its purpose is to prevent engine fires from reaching you.
A firewall for your computer is much the same, except the engine — the network you’re connected to — is always on fire. The point of a firewall is to keep you from getting burned.
A firewall protects your computer from network-based threats.
Almost all computers connected directly to the internet are under constant attack. Malware on other machines, hackers, botnets, and more are waging a slow but persistent war, probing to find unpatched vulnerabilities. If they find one, they infect the machine they’ve found, or worse.
The basic concept of a firewall is simple: it filters out certain types of network traffic from ever reaching your computer.
Want and don’t want
Traffic you want to reach your computer:
- Websites pages you visit
- Software you download
- Music you listen to or video you watch
- And more…
Other traffic you definitely don’t want:
- Your neighbor’s machine, infected with a botnet, trying to connect to your machine to spread the infection.
- Overseas hackers trying to gain entry to your machine to steal your personal information.
- And more …
A firewall knows the difference.
Solicited & unsolicited
If you look at the sets of examples above, they differ in one important aspect:
- Things you want are connections you or your computer initiate. At your request, your computer reaches out and asks for the webpages you visit, the software you download, or the music you listen to.
- Things you don’t want are connections from outside trying to come in without being invited.
That’s an easy distinction for a firewall to make.
Two types of firewalls
A router sitting between your computer and the internet is perhaps the best and most cost-effective firewall you can have. It’s a piece of equipment1 connected to both your computer and your internet service.
The router’s job is to “route” data between your computer(s) and the internet. It also allows you to share an internet connection among many devices.
Routers watch for connections initiated by your computer reaching out to resources on the internet. When a connection is made, it keeps track, so when a response comes back, it knows which of your local machines gets the data.
The beneficial side effect is, if an outside computer tries to start a connection, the router doesn’t know which computer to send it to. All it can do is ignore the attempt. That effectively blocks everything on the internet from trying to start a connection to a machine on your local network.
That makes your router a powerful incoming firewall.
Software firewalls are programs your computer runs. They operate as close to the network interface as possible, and monitor all your network traffic.
If you’re not using a router and are connected directly to the internet, all of the network traffic will still technically reach your machine, but the firewall prevents malicious traffic from getting any further. Much like a router, a software firewall prevents the rest of your system from even realizing there is any malicious traffic.
In addition, some software firewalls can be configured to monitor outgoing traffic. If your machine becomes infected and malware attempts to “phone home” by connecting to a malicious site, or tries to infect other machines on your network, a software firewall can warn you and block the attempt.
Windows 102 has a built-in software firewall. It is turned on by default.
The Windows firewall is primarily an incoming-only firewall.
Choosing and setting up a firewall
I recommend using a router as your firewall. Since it’s very likely you already have one, you’re done.
There is disagreement. Some believe an outgoing firewall is important. My position is, an outgoing firewall doesn’t really protect; it notifies after something bad has already happened.
Routers are common, and a requirement for anyone who has more than one device sharing an internet connection — which is all of us.
Software firewalls do make sense in a very important situation: they’re one solution when you can’t trust other computers on your local network. Don’t trust the kids’ ability to keep their computer safe on the internet? Enable the software firewall on your computer. Heading out to the local open WiFi hotspot? Turn on the software firewall before you connect.
If you’re running a reasonably current version of Windows, the firewall is probably on, and it’s fine to leave it on all the time, even if you’re behind a router. It has little impact and saves you from remembering to turn it on when you travel or have not-so-trustworthy guest on your network.
That’s why I said earlier you might have two firewalls already: your router and your Windows firewall. And that’s quite OK.
What firewalls can’t do
It’s important to remember that a firewall can’t protect you from everything.
A firewall protects you from threats arriving via malicious connection attempts from elsewhere on the internet. A firewall will not protect you from things you invite onto your machine yourself, such as email, attachments, downloads, and removable hard drives or flash drives.
Nonetheless, protection from network attacks remains critically important.
Footnotes & References
1: It may be combined with a modem, which converts your internet connection’s technology into an ethernet connection, and/or with a wireless access point, giving you Wi-Fi connectivity. Or these may be three separate devices.
2: And Windows 7, and 8, and 8.1. I believe in Vista and prior you needed to enable the firewall yourself.