Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Zone Alarm firewall: do I need it if I'm behind a NAT router?

Question:

I have a WinXP Pro PC behind a NAT router and am getting tired of Zone Alarm
to the point where I think Zone Alarm is creating more problems than it solves.
Some have suggested that I do not need a software firewall as long as I
practice safe computing. Do you agree? And can you recommend a different free
software firewall solution just to satisfy my paranoia?

As you've seen, there differing opinions on this. In reality it does,
indeed, depend on how you use your system and how "safe" your safe computing
really is.

It's also important to understand that there are a few things that a
software firewall like Zone Alarm can do that NAT routers typically don't.

Let me tell you what I do, and you can draw your own conclusions.

Become a Patron of Ask Leo! and go ad-free!

My home network lives behind a NAT router, and my machines at home do not
have a firewall installed, other than Windows XP's built-in firewall - which is
turned off.

You can easily see which way I lean on this particular issue.

I have a complete suite of security tools in place, including anti-virus,
anti-spyware, automatic updates, backups and the like. Both my wife and I
religiously practice "safe computing" - we're both good at identifying
suspicious attachments, for example, and don't download things that might be
dangerous (or if we do, we do so in a very controlled manner).

The result is that over many years we've never experienced virus or
significant spyware infection or related issue. That's not to say it won't
happen some day, but so far what we have, and do, has proven to be quite
adequate.

Note, though, that I said "at home". On occasion I do take my laptop out and
connect to other networks - networks such as public hotspots, or networks over
which I have no control and very little knowledge. In these cases I enable the
Windows firewall.

There are important differences to note between NAT routers and firewalls
such as Zone Alarm.

"If you avoid all of the other ways that viruses and
spyware can arrive on your system ... then a NAT router will do its part in
preventing network based attacks.

A NAT router, for example, can only prevent attempts to access your computer
from outside of your LAN. That means that and problems already within your LAN
are not abated, or detected, by the router. If you have an infected machine
within your LAN behind your router, it can easily infect all the other machines
on your LAN. If your machine is infected and connecting to the internet in
unexpected ways, a router will detect, or stop it.

That's why the big emphasis on if you practice safe computing. If
you avoid all of the other ways that viruses and spyware can arrive on your
system (email and web downloads being the worst), then a NAT router will do its
part in preventing network based attacks.

A software firewall running on each machine is naturally going to protect
against many types of problems regardless of where they come from: other
machines on your local network, or the internet. Now, like a NAT router, a
software firewall cannot prevent infections from internet downloads
and email attachments. However unlike a router, a software firewall
can detect, and prevent, certain types of bad behavior - like a virus on your
machine attempting to spread to others.

This "outbound" protection is both a blessing and a curse. The most common
complaint that I get about Zone Alarm and similar products is that it alerts
too often, and for benign and valid access of the internet. That's unfortunate,
because when it alerts too often for all these "false positives", people start
ignoring the alerts, or turn off the feature completely. When a real problem
happens they're unable to distinguish it from the noise, and frequently ignore
that as well.

Fortunately, I don't believe that's a terribly common situation, but it is
annoying when it happens.

Now given your dislike of Zone Alarm, here's the kicker ... there are many
free software firewalls (just search Google for "free firewall") - but the one that seems to
fairly consistently bubble to the top of people's recommendations appears to
be: Zone Alarm. Since I don't use one myself, I rely on those recommendations
instead to guide people - but if you're not happy with Zone Alarm, there are
many alternatives to try as well.

But personally, I'm quite happy with my NAT router, the Windows built in
firewall as needed ... and a little common sense.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

15 comments on “Zone Alarm firewall: do I need it if I'm behind a NAT router?”

  1. If you are looking for a good and free Firewall (the free version has some minor features disabled though), you should try Sunbelt Kerio Personal Firewall.

    I used Zone Alarm before, but Kerio offers a better user-experience IMHO.

    Also note that, like Zone Alarm, it blocks network access in both directions. The XP-firewall lacks that feature IIRC.

    Reply
  2. If you’re getting too many alerts from Zone Alarm, tick the “remember my answer” box before Accepting/Denying. Also, in the ZA Control Centre, “Alerts & Logs”, set to OFF (Do not show any informational alerts).

    Reply
  3. I love Zone Alarm. It asks you to OK a lot of programs, etc., at first. But after using it awhile, it only has to ask you whether you want to accept or reject files that would otherwise be sent to you from sites without your knowledge that they are being sent.

    This is very valuable.

    I almost always refuse to accept anything that I am not certain will not hurt my computer. If what I want to view at the site I am visiting will not display because it NEEDED the material that I decided not to accept, I realize what has happened, and I go back to where the spot where the program will resend the needed file or files, and this time I accept them.

    Zone Alarm is great and has saved me many major headaches.

    Fred Howard

    Reply
  4. I have zone alarm pro version 4.0123.012. I have certain problems as follows: Whenever a program tries to access the internet, I get an alert asking my prmission. I usually check off a box asking it to remember my answer. Recently it began to “forgret” and ask me for certain programs over and over. Then it got real bad and the whole database erased each reboot. I did a search and on a user forum was told to reboot and delete certain files. Then reinstall the program in safe mode. The reason was that these files were likely corrupted. I did this, and it’s a lot better, but I still forgets some, but not all programs. This is liveable, but annoying.

    Michael J. Yaros

    Reply
  5. 1. Well as first, regarding the other free firewall alternatives beside Zone Alarm (and beside the mentioned Sunbelt Kerio Personal firewall), I would also recommend trying the Sygate firewall. Oh and btw. I also used Kerio firewall back then for some time, but it was still the old “non-Sunbelt” version.

    2. As second, regarding the “outbound protection”; you see, many people argue (especially on Ars Technica forum that I frequently visit/participate on it) that the outbound traffic monitoring firewalls are more or less useless, since once the malware is on your computer you are already owned and that the malware could in turn turn-off your firewall and disable the Windows “Security Center” altogether. If you want to, see the recent “Do we need an outbound traffic monitoring firewall ??” thread: http://www.castlecops.com/postitle165221-0-0-.html that I opened on CastleCops forum about this.

    3. And as third, regarding the Zone Alarm that doesn’t remember the setting for a particular program (btw., I don’t use the program anymore); in my opinion one of the reasons might be that the program is launched from different locations (for instance TEMP sub-directories), and the other one being the possibility that the “database” was corrupted (as already mentioned by the poster above), which actually doesn’t occur so rarely at all in Zone Alarm’s case. If I recall correctly the “database” is a common .xml file (or two .xml files) that you need to delete along with logs’ folder, and after that reboot to start “fresh”.

    P.S. — I would also recommend searching Zonelabs site for older non-bloated versions of Zone Alarm firewall that were certainly more resources-friendly and stable in general !!

    ________

    best regards,
    Ivan Tadej, Slovenija, EU
    http://www.tadej-ivan.be/

    Reply
  6. I learned the hard way that Zone Alarm could NOT be overwritten (address redirected),(by malware, etc.). Norton can. I have nothing but praise for my Zone Alarm free firewall. Sure, it has it’s quirks but for a lower level computer user like me, well, It’s worth it’s weight in gold. VIC

    Reply
  7. in my co there are 50 comp’s all is having win2000 and winxp, the problem is when we access a programm2 from data server it is database programme and all the machine is accessing from the data server and when we access it its running very slow what could be the problem please help me it is urgent.

    thanks

    sanjay

    Reply
  8. Ask leo is an excellent help.Regarding Zone Alarm, I have been using it for years and have had no problems. I recently went wireless and have a 192..168 address when i look at the DOS prompt as suggested.Ian Gizmo Richards has recently said he is going to change over to Comodo Firewall early 2007. This is a free programme and comes well recommended, a friend of mine who is very particular and a born sceptic recommends it highly as well.I would think that Gizmos recommendation alone should carry a lot of weight, as, like leo, he is ultra well experienced and informed.Hope this helps.

    Reply
  9. Ask Leo ….. great site. I have a router and i use ZoneAlarm Pro. As my ZA is up for renewal i might well not bother. Trouble is its the paranoia that kicks in. I cant see my hardware firewall so does it really work ? !! I even disabled my ZA and went to grc.com and ran the LeakTest ….. guess what …. my firewall was penetrated !! Looks like ZA free might get my vote or maybe Comodo ;)

    Reply
  10. Hmmm, one thing I don’t like about zonealarm is that when I start up Pangya, during that time it shows up the box then my Pangya hangs or can’t login at all. Normally i would shut down zonealarm when I’m playing online, save the trouble of restarting my pc again.. -.-;

    Reply
  11. It’s a constant debate whether a router peforming NAT is just enough. From what I’ve heard and read, a software firewall will add an extra layer of protection, and block outbound traffic, your router is just going to do what comes in. Not what goes out. Overall, reading about firewalls and security I find very interesting. Windows Firewall at least in XP, lacks outbound protection. This is one of the cons of it. I’ve used ZA, Sygate, and one other firewall and ZA I’ve found myself coming back time and time again. It’s easy to use and configure, and effective. You can get rid of the nagging alerts if you go to the alerts tab and choose off, program alerts will still be displayed. I admit ZA has gotten more bloated. It works well though and I highly recommend it. If your router does SPI, that’s extra protection, again–no outbound protection on your router though. ZA free version is very configurable and you can get rid of the nagging alerts if you know how to press the correct buttons.

    Reply
  12. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    The problem with outbound protection is that when it traps
    something real, it’s too late – you’ve got outbound bad
    traffic because there’s something bad on your machine. If
    you don’t have malware on your machine, then the outbound
    warnings are just so much noise (that often serve to mask
    anything valid that might come up anyway).

    IMO inbound-only firewalls – particularly NAT routers – are
    the way to go.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFHk+dRCMEe9B/8oqERAo/7AJ9p15TtYlaqLb4+bK/41lyFMEA1BgCfd161
    0E5iuyvAxgivEBf9gud6oaw=
    =44t3
    —–END PGP SIGNATURE—–

    Reply
  13. I’ve had nothing but problems using software firewalls such as both the free zone alarm and the pay-for zone alarm pro, norton’s firewall, sygate’s firewall. I’ve done lots of port scanning using all those previously mentioned software firewalls and found that 1 or more of my ports were showing up as being closed which is not good. You actually want your ports to be a ghost…to be stealthed out like a black hole. I use NetGear’s WGR614 v7 router alongside those previously mentioned firewalls such as norton and zone alarm and again I say the ports were closed. I had lots of problems with zone alarm and norton. I then removed them and decided to try Windows xp own firewall with my netgear router and found during the port scanning that my ports were now being shown as fully stealthed. I quit having problems using the combination of a netgear router and windows firewall. Scan your ports at https://www.grc.com/x/ne.dll?bh0bkyd2

    Reply
  14. I removed Zonealarm because I thought my router would be all the protection I’d need. I ended up with a virus that e-mailed itself to EVERYONE in my address book, without my knowledge. Zonealarm would have caught this activity right away, and I’d have been able to deal with the infection before it had a chance to harass my contacts.

    To this day, the guys at work have nick-named me ” VirusBoy “…

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.