Hardware vs software firewalls.

I just got broadband via my cable. I went out and got a router to be able to share it among the multiple computers I have, and I also made sure that it had hardware firewall features like NAT, MAC filtering, IP filtering, etc.

What I am wondering is, is this all the protection that I will need, or should I also run a software firewall on my systems too?

BTW, I have turned off network sharing on all of my systems.

Yep, a hardware firewall is all you need. A software firewall will just suck RAM and CPU power and provide no additional benefits.

Well, that’s not quite true. The hardware firewall just limits which sockets can communicate in and out of your network, while a software firewall like ZoneAlarm will allow you to configure which programs are allowed to access the internet.

So the hardware firewall can and does prevent intrusion-type attacks from hitting your computer, but a software firewall can thwart spyware and trojans that you mistakenly load onto your computer from their attempts to “phone home”.


Not to mention software firewalls often are programmed somewhat shoddily and have a tendency to bug you with extraneous information–just ask a network guy at an isp about Zone Alarm and watch him roll his eyes–they constantly have to put up with crank calls from people who are alarmed by alerts about perfectly normal network traffic.

So you’re saying that that software firewalls are no good because some of their users can’t correctly interpret what the program is telling them? The problem exists between the keyboard and the chair; it’s not a flaw in the firewall itself.

Zone Alarm can be configured to not bother you with incoming attack alerts. When you first install it, it’ll bug the crap out of you until you get it configured the way you want.

IMO, this is the only reason for the need for a software firewall when there is already a hardware firewall.
Round and round the circle goes…

Sometimes a software firewall is good. If you worry about your privacy, then aside from spyware apps, a lot of the “big-name” applications also “phone home.”

My ISP provides a firewall at their location for me. So I don’t need one. Takes them 24 hours to turn theirs off if I don’t want it. They told me that hackers would have to deal with theirs first. I seem to be the only one who has this option. Are you sure it’s not an option for you MrTuffPaws?

Handy, I think the point of contention here is whether a “perimeter” firewall hosted off the endpoint system(s) is enough.

An ISP’s firewall simply stops suspect traffic before it gets to the endpoint system. A typical user also should be concerned about Trojans, Spyware, Adware, etc. that may be downloaded inadvertently - either embedded in a free/shareware install, or installed as an ActiveX “drive-by” download as a browser plug-in. These apps, like Gator, or any number of others, secretly monitor certain parameters: browsing habits, keystrokes, OS version and hardware configuration, you name it, there’s a Pest App that’ll sniff for it. They then communicate this information to a specified server on the internet, usually over HTTP port 80. Since most stateful hardware firewalls (especially home units) simply pass traffic if the port is open, there is a huge security rick.

To answer the OP: Yes, a software-based firewall is needed, especially if you have a home network of several systems. Not only will it protect against Pest Apps, it will prevent the spread of network-aware worms. Blaster and Welchia being most notable of late, many worms discovered these days have a file-sharing propogation method, even those that use email as a primary infection vector. A software firewall will prevent most of these from spreading, even if your antivirus software is not up to date, or if signatures aren’t available for a particular threat yet.

Defintely worth the trouble of configuring it in the first few weeks of use.

Also a huge security risk. . . :smack:

As is frequently pointed out by others in this type of thread, the comparison of a hardware and software firewall is fairly specious. All firewalls are software and the hardware/software distinction is generally made depending on whether the software is running on a dedicated device or a more general computer. A firewall (hardware or software) running “upstream” of a specific computer is quite useful for protecting that computer from inbound traffic. Your ISP, LAN gateway, etc. can and should be running firewalls to drop certain classes of traffic. However, you gain significant benefit from also running a firewall on an individual client computer because it can monitor outbound traffic based on the source of the packets, not just the content. A firewall which blocked all outbound HTTP traffic would be undesirable in most cases, but a client-based firewall can block HTTP from malware and phone-home apps but still allow approved apps to function normally. An external firewall cannot determine the source of the packets so it cannot filter with this level of granularity.

IMO, it’s not an either-or proposition. For performance and security reasons, dedicated firewalls at a gateway are very useful. For blocking outbound traffic, client-based firewalls are very useful. They both serve a purpose. Their purposes overlap, but they are not necessarily completely redundant.

On the subject of ISPs firewalling you … my ISP (and cable company) recently took it upon themselves to firewall several new ports. This is all fine and good for the residential users, who need that kind of thing. But I, and six of my clients, pay extra for business connections which were supposed to allow us to make these kinds of decisions for ourselves. Now the file-sharing system we had set up is broken, and there seems to be no way to get it working again. And Cox says there’s nothing they can do about it because “the Homeland Security Department recommended it.” The only recommendation from Homeland Security that I’ve seen was to block port 135 temporarily to prevent the spread of that worm or whatever, last month. Nothing about blocking other ports. Especially port 119 – my news server has been rendered useless.

Yeah, broadband ISPs should probably do this for their clueless customers, but they should also be able to turn it off if you need it off, especially when you pay extra for a non-residential connection. I’ll run my own firewall, thanks!

While it’s good that ISP’s take some action to protect their customers, I find it hard to believe that an ISP would ever be enough to be secure.

To give you one end of the spectrum, I recently was told that AOL Broadband customers were being advised that they didn’t need to run a firewall because the AOL servers would protect them. How reassured would you be?

I run just a hardware firewall. ZoneAlarm annoyed the hell out of me. And I can set up my hardware firewall to block software, allow software, whatever. It’s part of my router.

KenGr, I know the newest versions of AOL Broadband come with a built-in firewall, at least that’s what the ads say. So that might be why they’re saying that.

An external firewall (hardware or software) cannot filter based on the application sending/receiving the traffic. They may give you shortcuts like “block Enterprise Manager” or “block AIM”, but all that means is that they’re going to block the ports typically used by those applications. The applications you think you’re blocking could simply use different ports or, as is usually the case with the things you really want to block, the application is using ports/protocols used by other apps you don’t want to block. There is no way an external device can block an HTTP query from spyware while still allowing HTTP traffic from your browser.