I have a WinXP Pro PC behind a NAT router and am getting tired of Zone Alarm
to the point where I think Zone Alarm is creating more problems than it solves.
Some have suggested that I do not need a software firewall as long as I
practice safe computing. Do you agree? And can you recommend a different free
software firewall solution just to satisfy my paranoia?
As you’ve seen, there differing opinions on this. In reality it does,
indeed, depend on how you use your system and how “safe” your safe computing
It’s also important to understand that there are a few things that a
software firewall like Zone Alarm can do that NAT routers typically don’t.
Let me tell you what I do, and you can draw your own conclusions.
Become a Patron of Ask Leo! and go ad-free!
My home network lives behind a NAT router, and my machines at home do not
have a firewall installed, other than Windows XP’s built-in firewall – which is
You can easily see which way I lean on this particular issue.
I have a complete suite of security tools in place, including anti-virus,
anti-spyware, automatic updates, backups and the like. Both my wife and I
religiously practice “safe computing” – we’re both good at identifying
suspicious attachments, for example, and don’t download things that might be
dangerous (or if we do, we do so in a very controlled manner).
The result is that over many years we’ve never experienced virus or
significant spyware infection or related issue. That’s not to say it won’t
happen some day, but so far what we have, and do, has proven to be quite
Note, though, that I said “at home”. On occasion I do take my laptop out and
connect to other networks – networks such as public hotspots, or networks over
which I have no control and very little knowledge. In these cases I enable the
There are important differences to note between NAT routers and firewalls
such as Zone Alarm.
spyware can arrive on your system … then a NAT router will do its part in
preventing network based attacks.
A NAT router, for example, can only prevent attempts to access your computer
from outside of your LAN. That means that and problems already within your LAN
are not abated, or detected, by the router. If you have an infected machine
within your LAN behind your router, it can easily infect all the other machines
on your LAN. If your machine is infected and connecting to the internet in
unexpected ways, a router will detect, or stop it.
That’s why the big emphasis on if you practice safe computing. If
you avoid all of the other ways that viruses and spyware can arrive on your
system (email and web downloads being the worst), then a NAT router will do its
part in preventing network based attacks.
A software firewall running on each machine is naturally going to protect
against many types of problems regardless of where they come from: other
machines on your local network, or the internet. Now, like a NAT router, a
software firewall cannot prevent infections from internet downloads
and email attachments. However unlike a router, a software firewall
can detect, and prevent, certain types of bad behavior – like a virus on your
machine attempting to spread to others.
This “outbound” protection is both a blessing and a curse. The most common
complaint that I get about Zone Alarm and similar products is that it alerts
too often, and for benign and valid access of the internet. That’s unfortunate,
because when it alerts too often for all these “false positives”, people start
ignoring the alerts, or turn off the feature completely. When a real problem
happens they’re unable to distinguish it from the noise, and frequently ignore
that as well.
Fortunately, I don’t believe that’s a terribly common situation, but it is
annoying when it happens.
Now given your dislike of Zone Alarm, here’s the kicker … there are many
free software firewalls (just search Google for “free firewall”) – but the one that seems to
fairly consistently bubble to the top of people’s recommendations appears to
be: Zone Alarm. Since I don’t use one myself, I rely on those recommendations
instead to guide people – but if you’re not happy with Zone Alarm, there are
many alternatives to try as well.
But personally, I’m quite happy with my NAT router, the Windows built in
firewall as needed … and a little common sense.