Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

So do I need the Windows Firewall or not?

Question:

I’m really confused. With the new Windows XP SP2 Security Alert
System, do we still need a firewall to stop outbound traffic? If we get a
router, (LINKSYS), does that take care of everything, which means we need to
disable Windows Firewall to avoid false alarms?

There’s a lot of misunderstanding about firewalls, routers, and other
security software. When Windows XP service pack two was released it definitely
put security and particularly the firewall, “in your face”. Subsequent releases
of Windows now also include the firewall and turn it on by default.

It’s a great opportunity to find out what you need … and what you
don’t need.

]]>

A firewall filters network traffic. A previous article “What’s a firewall, and how do I set one up?” covers this in more detail, but the bottom line is that a firewall primarily protects you from certain classes of incoming network-based problems.

“If you’re not behind a router or other firewall, you’ll want to turn on the Windows firewall.”

Every computer should be behind a firewall of some sort.

In general, hardware firewalls, typically provided by NAT routers, keep malicious network traffic from ever reaching your computer, whereas software firewalls, such as the Windows Firewall, discard malicious traffic after it has actually arrived at your computer.

But you don’t need both.

If you have a router with network address translation, or NAT, enabled (most consumer grade routers do, by default) then there’s no need to enable the Windows firewall. In fact, you can tell the new Windows Security Center that you’ll manage your firewall yourself.

If you’re not behind a router or other firewall, you’ll at least want to turn on the Windows firewall. This is what I do when I take my laptop with me on the road – not being sure of exactly what I’m connecting to, the firewall protects me from network based threats.

Now, one word in the original question is worth a comment: “outbound”.

Consumer grade routers will keep you safe from threats that are incoming from the network, but will not filter or warn you of any malware already on your machine attempting to connect out. The Windows firewall has a limited amount of outbound traffic alerts, and other software firewalls that you can install separately to use instead of the Windows Firewall can be configured with a wide array of outgoing protection.

There’s a wide variety of opinion on this, but personally, I’m quite happy simply behind a router and with no outgoing threat monitoring.

But regardless, you do need a firewall; be it an external router, a software package that you install, or at a minimum simply enabling the Windows Firewall already present on your machine.

(This is an update to an article originally published in September of 2004.)

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

42 comments on “So do I need the Windows Firewall or not?”

  1. Dear Leo:

    Thanks for the great info. Now I have a better understanding of what a router and Windows XP Firewall will and will not do.

    Armed with this information, I will now activiate my new Wireless-G Broadband Router (802.11g) and disable my Windows Firewall. Or, as you stated…(notify Windows Security that I will manage my own firewall).

    I will add Zone Alarm for Outbound protection, as there are always programs, at one time or another, asking for Internet Connection.

    Once again, thank you for taking the time to shed some light on this problem…I hope it will help others that have had the same questions, but didn’t know who to ask.

    It couldn’t get any clearer than this!!!

    Reply
  2. Please don’t install ALARMinglyunfriendlysoftware like ZoneALARM. Instead use either the free Outpost or Outpost Pro from agnitum

    http://agnitum.com

    Unlike ZoneAlarm, if you decide you uninstall Outpost you will be able to try other firewall packages, and your operating system will continue to function as you would expect.

    Reply
  3. The problem with not having a firewall enabled on machines behind a hardware firewall is this leads to what’s called M&M security – a hard crunchy outside, but a soft, chewy inside.

    If someone gets behind your hardware firewall with an infected machine, then your entire network is vulnerable. This isn’t a big deal if you’ve got one machine on a DSL connection – the hardware firewall does a great job of handling this.

    On the other hand if you’ve got a wireless network (especially an unprotected wireless network), anyone bringing an infected machine near your wireless network might compromise the machines behind the firewall.

    So Leo’s comment is totally accurate for 90% of the users out there. But the caveats will bite you if you’re not careful.

    Reply
  4. This is the same advice that I give out with the addition of the fact that I favor actually purchasing a router with NAT protection, than purchasing firewall software. Of course this applies to broadband users but the benifit is that for a little added expense you get far superior protection that never needs updating, and has absolutely no effect on your computers performance.
    A software firewall will after a while begin to slow your system since it has to activly remember every connection that is “allowed” on the PC and block those that aren’t allowed in addition monitoring the connection for common threats. This uses a lot of system resources.
    NAT (Network Address Translation) simply hides your computer from the network making it invulnerable from attack. Worth every penny. I’ve even suggested to Linksys that they manufacture and market standalone NAT devices that people can install between their DSL modem and phone line connection. They would rake it in!

    Reply
  5. As someone on the front lines of dealing with the influx of Spyware/Malware. You can’t do enough in protecting your system from these old and new threats, especially if you have a DSL/Broadband connection. You can become infected by just going to a wrong website. I recommend a Nat based Firewall, Norton Internet Security 2005 and Spysweeper (It will catch the spyware ) and make sure you enable the popup blocker in IE (WinXP sp2 installs one in IE )oh and last but not least Keep Windows XP updated through Windows Update. Happy Surfing.

    Reply
  6. Hi,
    I have a befsr41 Linksys router, avg anti virus updated daily, spybot, adaware, spywareblaster and system mechanic. Do I need to download sp2 at all?? I have been able to kill and or block all viruses, trojans, worms, and spyware for 1 year with current updates of all defensive utilities. Isn’t that enough? Or must I get sp2 so I can be ready for receiving further , later on updates that may need sp2 to be installed? Thank you,
    Sincerely,
    Miles

    Reply
  7. Sounds like you really have your act together, that’s great.

    A couple of things: SP2 has more fixes than just the security stuff that is getting all the press. And, as you’ve already guessed, it’s likely that some future updates, or even some future applications, will require SP2 already be installed.

    But given your track record, I’d be ok waiting to install it until you actually ran across a need.

    Reply
  8. I would like to add that a good dose of common sense will protect you too. Having credit card numbers, social security numbers, ect. laying around on your PC is not very smart. Spyware looks through your computer the same way people look through your garbage. Keeping it void of critical personal data is the 100% way of preventing theft.

    Reply
  9. I HAVE WINDOWS XP SERVICE PACK 2,I HAVE NORTON INTERNET SECURITY,WHEN I TURN MY NORTON INTERNET SECURITY ON I AM NOT ABLE TO GET ON THE INTERNET.IS IT OK TO JUST HAVE MY FIREWALL IN THE XP SERVICE PACK 2 ON OR SHOULD I HAVE BOTH OF THEM ON,IS THEIR A WAY I CAN HAVE BOTH OF THEM ON.PLEASE REPLY A.S.A.P.

    Reply
  10. For most users, I recommend both a hardware (router) and software firewall, especially if you have kids. WinXP SP2 works great. If you don’t have WinXP use Sygate, it also works very well. I also recommend not using Outlook or Outlook Express, because they execute code unwillingly. Use Eudora or another free email client and don’t use Internet Explorer, but using something like Firefox. The more of these you change to, the least likely you are to get malicous spyware and viruses.

    Reply
  11. I agree with pretty much everything you’ve said, but one clarification: current versions of Outlook and Outlook express do not execute code “unwillingly” by default. The standard behaviour is actually pretty safe these days.

    Reply
  12. In my humble opinion if you are behind a router then a software firewall is more hassle than it is worth. Why? Because no software can distinguish between connections you want to make and connections you don’t. Sure you can configure it, but you can’t for every eventuality. And yeah it offers a dialog box asking you to allow or deny connection requests, but I would bet that most people simply select the same option every time, whichever they feel more comfortable with, without understanding what made the request and why it was made.

    My tact is to install spy ware and virus removers. If you can trust all the software on your computer then there is no reason to ever ‘deny’ any outbound connections. Prevention is better than the cure, right?

    Reply
  13. hi i have windows xp from about a year ago and just had to reinstall. I was just wondering is sp2 necessary and if so how should i get it. I dont have the disc, and ive downloaded it off the internet but i think ive picked something up both times ive tried it.(my computer takes forever to shut off after downloading it twice now)I dont know if theres a safe place to get it. can i just do my automatic updates and get it that way.

    Reply
  14. I don’t believe it CAN be uninstalled. You can go to the security center in Control Panel to turn it on, if it was simply turned off.

    Reply
  15. If you are using a router with NAT(Network Address Translation)enabled then you do not need a software firewall. This is because any potential hacker ‘probing’ your network will only ‘see’ the router which, of course, does not hold any valuable information. NAT allows the router to change the ip address header of any data packets sent from your p.c. Instead of the ip address of your p.c. the packet is sent out with the ip address of the router itself. Therefore when a hacker ‘probes’ your network looking for a reply from your p.c. all he gets is a reply from the router. In effect your p.c. is ‘hidden’ behind the router.
    If your p.c. is not behind a router then you most definately DO need a software firewall. However, if you do use a NAT enabled router then software firewalls are not necessary.

    Reply
  16. This comment is for Edward who asked if it is safe to download from Limewire. It’s safe just make sure you have a good antivirus program and you scan everything you download before you run it. Be extra careful if you download software because a large percentage of the software downloads on Limewire are viruses, worms or trojans.

    Reply
  17. I believe running a software firewall remains prudent even behind a NAT Router. This is particularly true if you let (either deliberately or accidentally) untrusted machines onto your network. Once an untrusted machine is on your network they can infect you directly and you (and the NAT Router) will never know it happened.

    There are many ways that this can happen…

    1. The majority of casual computer users do not know how to secure a wireless network and an unsecured wireless network is an open invitation for unwanted guests. (At my previous home I could see three unsecured networks that remained unsecured even after repeated offers to help them get secure).

    2. Perhaps you invite guests onto your network, e.g. friends for LAN gaming.

    3. You have untrustworthy users with their own machines on your network, for example, teenagers who P2P and lack the skills to prevent ‘accidents’.

    4. Even a skilled user can be caught out if they offer to ‘fix’ a friends computer and connect it to their LAN without thinking.

    5. A mobile machine may pick up an infection elsewhere and bring it home to behind the NAT Router.

    etc.

    Reply
  18. If your Notebook or Desktop Computer contains or is “likely” to have a Wireless Card connected to it (With USB ports I would say this is Mandatory), you do need a good Software Firewall to stop possible Wireless Intrusion directly into your LAN.

    A Router ***will not Block*** this traffic!

    Reply
  19. Is there a way to make the software firewall of my laptop automaticaly activate when using other/public network(ie: not on home network) AND deactivate when I’m on my home network(has a router and I trust my LAN) ?

    Reply
  20. Yes, i have installed sp2 on my computer, ever since then i have had troube with my boot up. I dont know what has caused this, cause i have reinstalled windows xp before no problem with sp2, but now i am having boot up problems. And i am unable to use my zone alarm without this sp2. Is there any other firewalls i can use other zone alarm without having to use sp2???

    Reply
  21. I have windows firewall enabled on my laptop. I also have Mcafee anti virus installed which also has firewall enabled. I was told that more than 1 firewall can conflict with each other. Which one do I need or is preferred?

    Typically the when you get an additional firewall the Windows built-in firewall is the first one you turn off.

    – Leo
    18-Nov-2008
    Reply
  22. I have many, many years of IT experience starting with Rand and my watch word is
    “Better Safe than Sorry” So even though a user may be behind a hardware firewall I always recommend enabling the XP firewall + a good anti-virus application and an antiMalware add-in

    Reply
  23. Excellent topic & extremely important.

    I use my Wireless Router’s Firewall & have been since I got it, in 2006. I also, use aVast! Free Version Anti-Virus program. Between the both, I have been quite ‘secure’. I also use CCleaner, as well as IOBit’s Advanced SystemCare Pro, to ‘clean up’ Internet surfings. I don’t use Windows Firewall anymore, because I found that it interfered with my router’s firewall, right from the start. Sometimes, having too much of the same thing, is not good for your computer. One very good Firewall and One very good Anti-Virus program is more important, than a slew of them.

    Do I get infected? On occasion, something will try to come through in my emails, but aVast! does stop them. Yes, even the Free Version stops them, plus it updates automatically, when new data comes in. The Free Version also, checks all of my downloads, to make sure they are virus, Trojan horse, so on and so forth, free.

    I also, periodically check at http://www.grc.com & use Gibson’s Shields Up program, to check that my first 1056 Port Settings are ‘Stealth’. I personally have been using Shields Up since Gibson created this program & always use this site to check all the computers that I repair or build.

    Reply
  24. I remember I once had a version of Windows XP that
    had the firewall defauled to ‘off’. So I turned it on. Immediately I had problems. I couldn’t even get onto the net. So I’m thinking, that is a really effective firewall. There is no way I’m going to be spreading viruses but of course I could get the same effect by shutting the computer off couldn’t I?

    Reply
  25. When I used Windows OneCare it used to tell me in a monthly report that it had stopped hundreds of intrusions. Once I had a router it reported zero per month! That says something about hardware firewalls. I now use Micrsoft Security Essentials which is the quietist AV ever. But in this thread:
    it may imply MSE specificallyneeds Windows Firewall . Perhaps Leo, you could plough through this thread and summarise it. I am certainly convinced it is best to use free security, and now I would choose Microsoft, and spend the money on a router even if I only had one computer.

    Reply
  26. I’m kinda new at this stuff but I used to be able to get pogo games and now I cant. My computer crashed on me and when I got my things back, now I cant get my games. ait keeps telling me there is a spyware or some thing blocking me from opening. Is my firewall stoping me or is my antivirus stoping me?

    Reply
  27. Your happy behind a firewall that doesn’t monitor outbound connections?? I find that strange, haven’t you ever used or seen a meterpreter session at work using the reverse_tcp payload?

    Reply
  28. I have a Linksys router – And I have Norton 360 which also has a firewall. So how come Norton 360 at the end of every month says it stopped certain incoming threats? Does that mean those threats got through the router firewall as well as Norton’s own firewall? Makes me wonder how good my “firewalls” are?

    Hard to say with Norton, I’d have to see the specifics of what it blocked. It also could be blocking “threats” (sometimes false positives) from other computers on your network.

    Leo
    26-Feb-2010

    Reply
  29. Thanks for answering! It is from enabling “Intrusion Prevention” I just got my monthly report from Norton and there were 122 attempts against my computer this month. Here is what Norton said Intrusion Prevention is:

    Intrusion Prevention scans all the network traffic that enters and exits your computer and compares this information against a set of attack signatures. Attack signatures contain the information that identifies an attacker’s attempt to exploit a known operating system or program vulnerability. If the information matches an attack signature, Intrusion Prevention automatically discards the packet and breaks the connection with the computer that sent the data.

    Just thought I’d pass it along…

    Sandy

    Reply
  30. why i should turn off the fire wall … pls tell me reson

    Please read the article you just commented on. It answers this question.

    Leo
    26-Dec-2010

    Reply
  31. When my windows 7 firewall is enabled/on, my Web site, which is hosted by a Web hosting company, doesn’t go through. When the firewall is disabled, my site works fine. How can I fix this? Should I leave the firewall disabled? Thank you

    Unfortunately there are too many variables that you haven’t specified – like the web site, the hosting company and what errors result. I’d contact your hosting company for assistance.

    Leo
    10-Apr-2011

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.