How-To Geek

Do I Need a Firewall if I Have a Router?

There are two types of firewalls: hardware firewalls and software firewalls. Your router functions as a hardware firewall, while Windows includes a software firewall. There are other third-party firewalls you can install, too.

In August 2003, if you connected an unpatched Windows XP system to the Internet without a firewall, it could be infected within minutes by the Blaster worm, which exploited vulnerabilities in network services that Windows XP exposed to the Internet.

In addition to demonstrating the importance of installing security patches, this demonstrates the importance of using a firewall, which prevents incoming network traffic from reaching your computer. But if your computer is behind a router, do you really need a software firewall installed?

How Routers Function as Hardware Firewalls

Home routers use network address translation (NAT) to share a single IP address from your Internet service provide among the multiple computers in your household. When incoming traffic from the Internet reaches your router, your router doesn’t know which computer to forward it to, so it discards the traffic. In effect, the NAT acts as a firewall that prevents incoming requests from reaching your computer. Depending on your router, you may also be able to block specific types of outgoing traffic by changing your router’s settings.

You can have the router forward some traffic by setting up port-forwarding or putting a computer in a DMZ (demilitarized zone), where all incoming traffic is forwarded to it. A DMZ, in effect, forwards all traffic to a specific computer – the computer will no longer benefit from the router acting as a firewall.


Image Credit: webhamster on Flickr

How Software Firewalls Work

A software firewall runs on your computer. It acts as a gatekeeper, allowing some traffic through and discarding incoming traffic. Windows itself includes a built-in software firewall, which was first enabled by default in Windows XP Service Pack 2 (SP2). Because software firewalls run on your computer, they can monitor which applications want to use the Internet and block and allow traffic on a per-application basis.

If you’re connecting your computer directly to the Internet, it’s important to use a software firewall – you shouldn’t have to worry about this now that a firewall comes with Windows by default.


Hardware Firewall vs. Software Firewall

Hardware and software firewalls overlap in some important ways:

  • Both block unsolicited incoming traffic by default, protecting potentially vulnerable network services from the wild Internet.
  • Both can block certain types of outgoing traffic. (Although this feature may not be present on some routers.)

Advantages of a software firewall:

  • A hardware firewall sits between your computer and the Internet, while a software firewall sits between your computer and the network. If other computers on your network become infected, the software firewall can protect your computer from them.
  • Software firewalls allow you to easily control network access on a per-application basis. In addition to controlling incoming traffic, a software firewall can prompt you when an application on your computer wants to connect to the Internet and allow you to prevent the application from connecting to the network. This feature is easy to use with a third-party firewall, but you can also prevent applications from connecting to the Internet with the Windows firewall.


Advantages of a hardware firewall:

  • A hardware firewall sits apart from your computer – if your computer becomes infected with a worm, that worm could disable your software firewall. However, that worm couldn’t disable your hardware firewall.
  • Hardware firewalls can provide centralized network management. If you run a large network, you can easily configure the firewall’s settings from a single device. This also prevents users from changing them on their computers.

Do You Need Both?

It’s important to use at least one type of a firewall – a hardware firewall (such as a router) or a software firewall. Routers and software firewalls overlap in some ways, but each provides unique benefits.

If you already have a router, leaving the Windows firewall enabled provides you with security benefits with no real performance cost. Therefore, it’s a good idea to run both.

You don’t necessarily have to install a third-party software firewall that replaces the built-in Windows firewall – but you can, if you want more features.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 08/19/12

Comments (32)

  1. Doug Jensen

    This is a simplified answer for people unfamiliar with the topic — as you intended. But it would have been a better article if it had explained why hardware firewalls can cost thousands of dollars and provide a vast array of protections you didn’t mention. The firewall in a router is vestigial.

  2. Claude

    This was a great article. It helps people to understand the distinction between a router and a software firewall. I doubt many people truly understand that a router provides protection to your computer.

  3. Daniel

    This was a great and informative article since I have both, I thought a router would block internal worms but I was wrong. Geek on.

  4. RA

    Thanks for the explanation, I didn’t know if I needed a third-party fire wall too.

  5. Marcel

    What are software options for Linux? Although most malware isn’t focused on Linux OS, as they become more popular that might change. Most of the time I prefer Linux performance over Windows, unfamiliar with Mac.

  6. R-Unit

    Thanx 4 the info:)

  7. JD

    In a Network where the Router “costs thousands of dollars” and “provide an array of protections” does NOT suggest the firewall in the router is “vestigial” … by any means …

    I’ve included a definition to help explain the comment string …

    vestigial (v-stj-l)
    Relating to a body part that has become small and lost its use because of evolutionary change. Whales, for example, have small bones located in the muscles of their body walls that are vestigial bones of hips and hind limbs.

  8. smike

    Tend to agree with Doug.

    The article was not up to usual high how-to-geek standards.

    Not able to tell whether JD has a point or not. The nit picking on ‘vestigial’ is clear enough, if irrelevant, but not sure what point the ungramatical first sentence is attempting to make.

    To return to the point – No info was provided as to how the routers settings can be tailored to improve security, a worthwhile enerprise. Further, the fact that the Windows software checks incoming but not outgoing traffic was not mentioned. The ability of several free firewalls to check both, limiting the ability of malware that got past the incoming checks to export your data is a significant consideration.

  9. CBA

    Nice article, but a bit short. It is true that firewalls are a very big part in keeping PC’s relatively “safe.” Firewalls are not critical for communication but if you want to limit any problems that might occur they are.

    That’s not to say something bad can’t happen even with a firewall since there’s always the “user” who blindly opens virus infected files, or someone not paying attention to a URL or even the HTTP vs HTTPS when doing sensitive things. But chances of a worm or virus letting it’s payload cause more problems is significantly reduced when a firewall is in place. After all, a firewall does just that – it prevents the “fire” – aka the “payload” – from spreading. (BTW, not all worms/viruses will do this either – just the ones that want to “phone home” or set themselves up as DoS zombie client or something that requires network access.)

    You Linux guys should also consider firewalls too. Almost every distro out there has nothing configured by default which means your Linux box is wide open and only protected by whatever hardware firewall you may have in place – if you even have one! This is not a good idea for obvious reasons even though there is not much out there to worry about (much like a Mac). At least not yet! But if you have other Windows boxes on the same local network then you could be exposing them since Windows would likely have certain “ports” open for various “internal” traffic (hint, hint). And even though the chances of a worm/virus unloading it’s payload over an internal/local network is not very likely the risk is still there, particularly since Linux still has almost no virus scanner apps that might detect a bad app/process.

    So if you’re not using a firewall or have one opened up all the way then my advice would be to get used to it and close off those unused ports.

  10. keltari

    Software firewalls break more systems than do any kind of protection. In corporate environments, with experienced admins, software firewalls can be “somewhat” beneficial, but still are a huge headache. And no one can expect the average home user to understand or configure them. Remember ZoneAlarm? The “most popular” software firewall. People got so tired of pop ups asking them to allow or deny a program network access that they just always ended up saying allow. It was a joke. ZoneAlarm doesnt even give its software firewall first billing in its security suite anymore, its pushing its antivirus now.

  11. TheFu

    You really need both.
    * A router firewall can protect your PC from thousands of nasty packets every hour. Being without that protection is crazy if it is available. If the network firewall fails, chances are you don’t have an internet connection either. That is good.
    * A software firewall can protect your PC from specialized attacks that the average home router cannot. It can easily be configured to trust specific packets from other devices on the LAN while not completely opening your computer up for all connections.
    * If you have a portable device and connect to other networks, then you need to run the software firewall always. Most wifi networks in public areas, cafes, coffee shops, libraries, and schools are definitely not safe.

    Someone asked about Linux firewalls. The kernel has iptables and the GUIs just manage the iptables configuration. ufw is an easy to use CLI interface into iptables, I suppose there are GUI versions too. iptables is extremely powerful. If you are on Linux, take a look at fail2ban. It probably does what most people need with the default settings.

  12. LadyFitzgerald

    The only reason people have trouble with Zone Alarm is because they don’t use it properly. At first, there will be a lot of popups but, if the user takes the time to make a proper decision before selecting whether to block or allow, permanently or that time only, ZA will become “trained” and, before long, the popups will become rare. I’ve been using ZA for years, first in XP and now in Win7 64, and have had no problems with it. Unlike the Microsnot firewalls, which work only on incoming transmissions, ZA works both for incoming and outgoing transmissions, is easy to use, and can be edited if one decides to block or unblock a previously unblocked or blocked transmission. In addition, ZA now also monitors downloads and determines if they are safe or not and will alert one to possible phishing sites.

  13. Zinc64

    I agree with Doug that comparing a home router with NAT to a dedicated network appliance is a bit over-simplified.

    However, I use the same simplified explanation when I tell my family and friends why they should buy a router. I use the analogy of a company switchboard that screens all your incoming phone calls…no one can call the boss directly.

    It’s amazing how may people with only one PC still hook up directly to their modem w/o a router.
    Although a lot of ISPs provide a wireless router free these days just to simplify supprt issues.

    If you really wanted to “nitpick” you could have started with why you shouldn’t rely on Windows firewall alone. Of course…most Internet Security suites come with a firewall anyways.

  14. pbug56

    The hardware firewall in most routers provides SOME protection. But considering that most people with wifi capable routers don’t properly secure them, your whole neighborhood can be sharing your internet access and your home or office network (including the contents of your PC PLUS being able to see what your are doing) if you don’t 1. secure it, and 2. have software firewalls running properly on your PC’s. So YES, you need BOTH!

  15. 98 Guy

    Our small business was connected to the internet through an ISDN modem for 5 years between 2000 – 2005 (it was the best connection we could get at the time). We had a dedicated IP subnet with 32 IP addresses. We had no NAT-router. The modem was connected to several 10/100 switches and we had about 20 – computers in the office. A few were running Win-NT4, most were running win-98se and a few were running win-2k (our developers didn’t start running XP until 2006).

    The point of all this is that during a very vulnerable time for network worms (2000 through 2005) all of our machines had directly-routable (accessible) internet connections, and none of them were running firewall software. Guess which machines NEVER got hit or infected with network-based / internet-based worms or hack attempts: Answer -> our win-98 systems. I still install and run win-98 (with kernelEx) on new(er) hardware to this day on my home and office machines. That includes having TB-sized SATA hard drives and 1 gb system ram, 3 ghz P4 CPU’s, etc.

    Win-98 has never needed to be “protected” with a firewall, but the very vulnerable and delicate NT-based line of OS’s did.

  16. 98 Guy

    Software firewalls (and AV software for that matter) running on NT-based computers are a joke anyways, because it became trivial for malware (through browser-based exploits) to turn them off before they connect to their command-and-control masters to download secondary payloads.

  17. r

    …totally vestigial

  18. 98 Guy

    Microsoft’s motto: If it works, it’s not complicated enough.

    Windows NT (and 2k, xp, etc): Made from the finest, most expensive and delicate code. Like the emperor’s new clothes.

  19. Bigtech

    Actually the reason win98 machines never need protection (these days) uis th same reason Windows 3.1 and DOs apps nolonger need protection. They’re old. THe explots being exploited today literally didn’t exist in those programs because the features did not exist.. Good article though. And yes there are more expensive hardware routers but suffice it to say If you’re the kind of person that would need it, then you already know about it and know what you need.

  20. Khalid

    Good introduction by Chris and pretty good ‘constructive’ feedback.

    In particular, I liked the comments by TheFu who brought up IP tables and fail2ban. I’m keen on this since I’m implementing an Ubuntu server as a gateway+firewall on a heterogenious (windows/linux) LAN.

    Good work!

  21. fallout330

    Yes, Khalid, same idea here. Thanks for the info, TheFu.

  22. RichardH

    Useful article, but can can somebody please clarify a point for me :-

    Does Windows 8 finally have a proper two-way inbound and outbound firewall, or is the same tired old thing that was in XP that only monitors incoming traffic ?

    Similarly, does anyone know if the Ubuntu Linux firewall is one-way or two-way ?


  23. KB Prez

    Very helpful article Chris! Thank you.

  24. spike

    @JD: Just for clarification, about the word “vestigial”, it has multiple meanings, one of which I have include here:
    ‘Forming a very small remnant of something that was once much larger or more noticeable: “he felt a vestigial flicker of anger”.’
    The post by Doug Jensen was certainly relevant and accurate, although (as he also mentions), what he is bringing up is outside the scope of what this topic is intended to cover.

    @RichardH: Inbound and Outbound rules are managed separately in the Windows firewall starting at least in Win7 (I never dug into Vista very far.)

  25. spike

    @”smike”: Imitating the display name I use?? :-) I thought this article was good. An article has to have a balance of how short it is (so that people can read through the whole thing and remember what was at the beginning), and how much detail it includes.


    Explained in a non tech manner – brillo !!

  27. Chuck

    @ smike It wasn’t mentioned because its not true.

    The windows 7 firewall does block outgoing traffic too, if you set it up to. It by default allows all outgoing traffic but that can be changed simply by changing “Outbound connections” to Block for the firewall profiles that you want outbound connections blocked on. It’s in the “advanced settings” but that’s it. It’s nothing terribly complicated to get to or anything.

  28. ThatGuy

    I don’t really see any major issues with enabling a software firewall even with a hardware firewall in place – multiple defense layers are what I prefer. Locking down both firewalls to only allow the necessary protocols to go in/out. It is a pain but won’t give you as much of a headache when compared to virus/malware infections or stolen personal info.

  29. Richard Horrocks

    @spike Thanks for your reply Spike.

  30. smike

    Hi Chuck,

    Oops. Thanks for your correction. I was unaware that W7 could be configured to intercept outbound traffic as well. It sounds as if it could be worth useing so I will have a look at it.

    However, your comment about setting it up for individual firewall profiles sounds like the reason it is placed under the ‘advanced, tab! Zone alarm and othere work this all out for you without requiring expert user input.

    Oh, and hi spike, no attenpt to parody your display name, just the one that I have been useing for over ten years, a combination of Christian and Surnames


  31. Dr_Unix

    A more robust solution to the packet filtering problem can be had easily and inexpensively by using an older machine you may have collecting dust in the closet or garage, a pair of 100 Base T network interface cards, and a copy of FreeBSD which includes the “ipfw” [ip firewall] “stateful packet filtering” sieve that is fully user configurable through a firewall script that can be created with any text editor. Newer versions of BSD come with the Berkeley Packet Filter kernel module compiled by default, and the BSD kernel is engineered for easy “on the fly” inclusion or exclusion of this feature.

    Basically, the Internet is connected to the BSD gateway machine on NIC card #1. All traffic inbound from the web must pass through the Berkeley Packet Filter driven ipfw script which has been *user configured* (a few sample default configurations are provided to get you going). Berkeley Packet Filter allows us to sort, redirect, drop silently or drop with ICMP replies to the sending host, any packet with filtering as fine as individual TCP “Flags.” This makes it a snap to deny access to inbound packets whose pedigree is questionable.. The “TCP SYN-FIN” attack is an example. By sending a synchronization packet [SYN] that includes a “finished” flag [FIN], many lesser firewalls are confused, cannot cope with the apparent contradiction and all too often they simply allow the rogue packet to enter. If it contains a few bytes of executable code that can be injected into a region of “unsupervised” kernel memory, by default that code will execute, and this has been the mechanism for creating bot nets around the world. There are other attacks that can be prevented, such as the forged IP address spoof that suggests a packet has originated from (your CPU typically lives at this address). Lesser firewalls are typically hard coded not to perform any filtering on packets deemed to be “internals” and so once again, a rogue packet containing executable code fragments has been allowed into the system where it potentially can be injected into a region of “unsupervised” kernel memory [typically by a common buffer overflow] and there do its evil deed. The Berkeley Packet Filter allows us to perform “interface of origin verification” which stops this exploit dead in its tracks by simply comparing the origin of the packet to the attached spoofed IP address. Clearly, no packet that has originated at IP address can enter my gateway machine from the NIC card that is attached to the Internet! packets travel exclusively **on the system bus.** So, a packet claiming to be from that was found to have entered your system via eth0 would be “dropped silently” if Master Yoda had written the firewall script. Why? The reason for dropping it “silently” is that we prefer *not* to give the attacker any helpful information that could result from an ICMP message returned to the originating host [it might tell him what my operating system is, what version I’m running, or disclose other information a security conscious System Administrator would rather not disclose to the sender of strange, non-standard packets claiming to have originated inside my own machine while my packet filter informs me they actually have crept in through the network adapter card connected to the Internet!

    Any firewall works only as well as the cleverness of the System Administrator’s firewall script which tells it what packets to be watching for and what to do with them. I have used a “honey pot” host on my network as a destination for packets identified as “likely to be invasive,” along with a software package called “Tripwire” that plays cat and mouse with the packet’s originator. If someone is attempting a break-in, Tripwire leads him down the garden path to nowhere, and records every effort used in furtherance of the break in. A Honey Pot is a cheap, obsolete host computer with a mock file system that might *seem* to contain valuable intellectual property, for example, but actually is nothing but an inexpensive decoy! The host’s critical file system is protected by running the honey pot’s “Well Known Services” such as ftp, smtp, ssh, etc., inside a “jail” or “sandbox” The file system inside the sandbox looks like the real McCoy, but it’s not, and more importantly, it is “chrooted” so that if an attacker manages to gain control over one of my TCP based services, it is running as a “non-privileged” user, and because of this the attacker is not able to “root” the host on your network and gain entrance to the other hosts. Imagine breaking into a very stout bank vault only to discover that (a) there’s nothing inside but Monopoly money, and (b) there’s no way to get out! [the term “chroot” refers to the process of declaring a different “absolute root” for the file system used in your sandbox.] Windows and DOS machines traditionally have been “rooted” at C:\, where Unix and Linux have always had the capability to set the root file system at any partition “mount point” supported by hardware constraints. If my host is “rooted” at C:\ then I might “root” my sandbox in a tiny special partition that contains only an empty “stub” of the real file system. It would contain a complete directory tree, [and appear perfectly normal and legitimate] but the file folders would all be **empty.** The computer knows where the real root directory is located, but it’s not telling the unwelcome visitor. Even if he manages to “root” my ftp server, for example, in the sandbox, he still has accomplished absolutely *nothing* because the ftp server is running as “User ID 000” of “Group ID 000” with Username= “Nobody,” and what seems to be the “absolute root directory” of the Honey Pot’s file system is nothing but blue smoke and mirrors. [This causes attackers to waste a lot of time and energy while doing *zero damage* and it gives me an opportunity to record everything they do, back trace their IP address, and put together enough evidence to support criminal charges.]

    Your inexpensive, older BSD Gateway machine operates just like a very high quality fully programmable network router with NAT addressing. We simply assign a “private network block” to the second NIC card and then forward packets from the Internet to our, for example, gateway. Unlike most Netgear or Belkin or LInksys routers with Network Address Translation “firewalling,” your inexpensive BSD gateway machine can easily accommodate more than 252 hosts out of a severely limited class C network. [There is a “default gateway” address, a “broadcast” address, and a “network” address that are always unavailable for user assignment in any netblock, which reduces the 255 IP address total of a Class C Netblock such as to 252 addresses that are actually available for assignment to your network hosts and other devices such as network media storage or network printers]

    Many of my readers are thoroughly confused by now, and so I’ll stop and recommend to you all that a bit of study goes a very long way toward mitigating the harmful impact on your network caused by unauthorized access. O’Reilly sells a wonderful tome called “TCP/IP Network Administration” that I highly recommend. Your web browser operates using TCP packets. Transmission Control Protocol is what makes the Internet work! TCP divides everything into small bundles of data called “packets,” assigns each packet a “sequence number” and then attaches any of a variety of “TCP Flags” to help the receiving host understand what business the packet may have. TCP is a **two way protocol** where UDP is just a largely unregulated blast of arbitrary data with no specific size limits or other meaningful requirements, really, and there is no “handshake” between sending host and receiving host. All TCP “well known services” receive a “SYN” packet to synchronize the two hosts. The receiving host **replies** with an “ACK” packet to Acknowledge having received the “SYN” packet, and then they exchange some additional technical details, including *both* IP addresses, and other “scaling” factors beyond the scope of this discussion related to various allowable parameters. If the two hosts agree that their respective versions of TCP are compatible, then they can begin to exchange packets, each and every one containing the *sending IP* the *destination IP*, and *sequence numbering.* Each packet travels by the *fastest instantaneously available route from sender to receiver;* therefore, no two packets have come via the same route! Because of this TCP uses the “sequence numbers” to reassemble the entire file at the receiving end. TCP performs *no error checking* and *requests no corrections.* The TCP daemon on the receiving end knows how many packets to expect [because that information was transmitted along with the original “SYN” packet.] If there are losses due to data fragmentation, for example, or equipment failures en route [for example, where a backbone router takes that precise moment to use up its “average time between failures,”] then the receiving host sends a “Not Received As Sent” final acknowledgement. On the other hand, if the receiver was expecting 1000 packets and received 1000 packets, it sends back a “Received As Sent.”

    If you want to stop intruders then you **must** learn how TCP works. A well designed firewall script running against the Berkeley Packet Filter, which is capable of decoding *any* TCP packet, gives you a chance to *identify* packets that (a) have spoofed IP addresses, or (b) have spoofed interface origin points indicated,–> perhaps within your own system, hello? <– while they actually came in over the Wide Area Network adapter card, (c) contain "SYN" requests for *services not running on your system* (d) or have otherwise been *prohibited* for various reasons. [Personally, I *always* block 100% of inbound TCP traffic from China, Taiwan, Hong Kong, Malaysia, Russia, Ukraine, Boznia, Herzegovina, Latvia, Lithuania, Estonia, Germany, Poland, and anywhere in the Marianas or French Polynesia ***unless that traffic is in response to some TCP request originating inside my own network.*** Inbound traffic from those nationalities that is "unsolicited" is all "silently dropped," meaning I send nothing back to assist an attacker in learning what my operating system might be, for example, as this would help him refine his attack to something more specific to my platform.

    Your Windows or Linux machine running *behind* a BSD gateway machine will enjoy all the benefits of Network Address Translation that makes it virtually impossible to launch a directly targeted attack against "NAT" hosts, plus the *highly advanced* packet recognition and filtering capabilities that are simply unavailable unless one is willing to spend perhaps as much as $10,000 for a hardware gateway with some attempted implementation of "stateful" packet filtering capability in addition to Network Address Translation. Some devices do a passably competent job of "stateful" packet decoding and filtering where others are less successful {Note, please, that "IP_TABLES" under Linux might be almost as good *if* it were not for an extremely difficult [inscrutable?] configuration learning curve for novice users, and the lack of some vital and, frankly, *indispensable* filtering capabilities that are simply unique to the BSD Kernel-based "Berkeley Packet Filter." Your BSD gateway & "stateful" packet filtering host machine could be something as old and clunky as a very slow Celeron based machine you might not have used in several years. [A final note: The term "stateful" packet filtering refers mainly to the ability to decode various TCP flags and perform other checks, such as "Interface of packet origin" verification, or even "reverse DNS" tracing (Which I would only recommend for *very* short periods during serious and prolonged attacks on your network to avoid the extra burden on our already strained DNS Root Servers.) By checking the "state" of an inbound packet we may look for **inconsistencies,** such as a packet that carries both a "SYN" flag *and* an "ACK" flag. Packets flagged as SYN | ACK should be "dropped silently," but in order to do that, you'll need the Berkeley Packet Filter and the BSD IP Firewall that easily and conveniently allows you the freedom to write your own firewall script [without the need to learn a new programming language] that will instruct the packet filter very precisely as to what it should do with each of the various types of disallowed packets. Some are redirected. Some are dropped with or without notifications to the sending host. Others can be sent to that magical place on Unix machines we call the "Bit Bucket" [actually it's a special "device" called /dev/null, which amounts to the digital equivalence of a black hole in cyberspace. Anything sent to the Bit Bucket survives until its "time to live" has expired and then, since it cannot be "refreshed" while a staying at the "Null Hotel," it simply ceases to exist in any meaningful way and entropy causes its flickering transient energy to dissipate completly. This is an especially fitting end for SYN | FIN and SYN | ACK packets or those with forged IP addresses or forged Interface of origin, and most especially any claiming to have come from [with a banjo on my knee?] while actually originating somewhere deep inside the People's Republic of China at the headquarters of an International Spam Gang planning to steal your banking and credit card numbers if *YOU* make that possible by depending upon poorly designed and technologically obsolete or otherwise totally *inadequate* counter measures such as the Out Of The Box Experience "Firewall" that now ships standard with each copy of Windows!

    What I have tried to do here is impress upon you the need for a relatively small amount of study so you can understand how the Internet does its business. If you don't understand *what* TCP is and, at least superficially, *how* it does its work, you have no hope of preventing intrusions. Quite simply put, the Microsoft "firewall" is *not* up to the task, and Windows objects strenuously to allowing any packet filter to run because packet filters are a potent weapon to be used against you by your attacker in the event an intrusion is successful and the intruder manages to subvert a privileged User Account, or "root" a process running as the infamous NT_AUTHORITY_SYSTEM account or even worse. The **Ultimate Attack Against Windows** is to find a way to successfully "impersonate" the "TRUSTED_INSTALLER" User Account. Trusted Installer is the new and improved "owner" of all system files and processes from Windows Vista onward. If I can successfully impersonate User TRUSTED_INSTALLER, I can do things even the NT_AUTHORITY_SYSTEM User Account cannot do. The *only* competently engineered and fully reliable firewall that is truly adequate to protect your Windows network host machine *must* be run in a gateway machine that is *not* under the control of the NT Kernel. In other words, you need the Berkeley Packet Filter engine driving the BSD Kernel-Mode IP Firewall that ships standard in every version of FreeBSD since version 5.0. As the name implies, it's *free* and it's bullet proof. You *must* put forth some effort and study TCP in order to understand enough to write your firewall script telling the packet filter what to do with *dangerous* non-standard packets, and with BSD you can also use various Kernel Tuning settings to make further adjustments to the way TCP works in your gateway machine. These are known as sysctls (system controls) and that discussion is too long and too technical for this forum. You'd likely not understand it prior to reading TCP/IP Network Administration from O'Reilly, and doing a bit of study in the online documentation at Home of FreeBSD Note that I do *not* recommend PCBSD (the graphical user interface version of BSD). FreeBSD *can* be configured with an interface similar to what Windows users expect to find, but if you are inexperienced at setting up an x11 server and window manager, it will come at great personal cost [much frustration and many needless new gray hairs] while really serving no purpose worthy of all the effort necessary to make it work on your hardware. Your BSD gateway machine will be much like a *very* expensive Cisco backbone router in that it is highly configurable and completely capable of routing, forwarding, blocking or simply destroying various inbound or outbound data streams. Once you get it set up, though, it simply sits there and hums along day after day like a Netgear or Belkin or Linksys router with its NAT “firewall.” The difference between them; however, is like night and day. A $75 “router” cannot possibly hope compare to the fine grained precision control over all TCP traffic inbound and outbound you will enjoy with your BSD gateway, and for this narrowly defined purpose, the text based command line version of FreeBSD is more than adequate. No “windows” necessary for this configuration. It will remind older users of MS DOS except that the shell commands are vastly more powerful, and there’s basically not much short of a power failure or a hard drive crash that can bring a BSD machine down unless *you* decide to take it down for some hardware maintenance purpose that can’t be handled with the machine up and running. A 10 year old used machine from your local pawn shop or computer recycling company with 512 MB to 1 GB of older, slower RAM and a 40 GB hard drive is much more than adequate to serve as a gateway machine unless you are a corporation the size of Boeing, in which case you should consider a newer generation machine that runs faster and can handle the load. I once ran a BSD gateway on a 486-DX33 machine with 128 Megabytes of RAM that we lab tested and proved capable of handling in excess of 10,500 inbound http (TCP) requests every 15 minutes. I doubt seriously that any home user will ever approach that level of inbound traffic. At the time I had 35,000 paid customers behind my gateway firewall who were hosting their web pages on my two machines running Apache Web Server, and some of those domains were extremely busy.

    FreeBSD is a direct descendent of AT&T Unix. It is the “Ultimate” operating system for TCP/IP networks. What is the Internet? The Internet is a TCP/IP Network consisting of millions of much smaller TCP/IP networks all coordinated by a set of “Internet Protocols” developed under contract from the Department of Defense at the University of California, campus at Berkeley during the cold war era. BSD is essentially the *birthplace* of TCP/IP. If your goal is to secure a host on that giant TCP/IP Inter-Network we now call the Internet (formerly it was known as the DARPANET, so-named for the “Defense Advanced Research Projects Administration”) then why not go to the source? Berkeley is where TCP/IP was invented! Doesn’t it follow logically that you will find the very best network utilities and security tools were also created at Berkeley? If you succeed in creating your bullet proof BSD Gateway with the Ultimate “stateful” packet filter based firewall, it *will* come at a steep personal price. I have been doing this since 1973, and that’s just a few months shy of 40 years experience. I will not mislead you. Some of this study material is a very steep [almost vertical] learning curve for beginners and new comers to the Unix universe that existed fully 15 years prior to the founding of Microsoft Corporation. There is, however, vast amounts of excellent documentation, much of it available from the O’Reilly Publishing Company. The FreeBSD developers have provided outstanding documentation, and all versions of BSD ship with complete source code so that you may examine the actual software. Unlike Microsoft, FreeBSD has nothing to hide. You may copy it, modify it, give it away, install it on 50,000 computers and it costs not one penny beyond the cost of a DVD to burn the download. Some would say that it’s like Ubuntu on a very stout dose of steroids! Try it, you’ll like it. Unix has been open for business since 1965, and that means 47 years of continuous development; 47 years of refinement; 47 years spent perfecting, tweaking, fine tuning and adjusting the premier networking operating system in this quadrant of the galaxy. There are many pretenders, but absolutely *no* serious contenders where TCP/IP networking is concerned. As you might imagine, over these past 47 years some of the finest minds in the fields of computer science and mathematical modeling have explored and pushed the limits of Unix and we are fortunate, indeed, to be living and using Unix here and now because these pioneers of the original and only true and genuine TCP/IP networked multi-user, preemptive multi-tasking operating system created from the work of Dennis Ritchie and Brian Kernighan at Bell Telephone Laboratories, have written millions and millions of words explaining all that Unix is capable of doing, and outlining for us how we can configure our own Unix based servers and work stations to perform amazing feats of data processing and network integration all carried out at a level of excellence and reliability that is light years ahead of the next nearest network operating system. You could spend somewhere between $3500 to around $10,000 or even more if the size of your network is very large for a hardware gateway that attempts to implement bona fide “stateful packet filtering” and for all your money spent you would receive a relatively pale shadow of the precision instrument you can build from a very old Windows XP Service Pack 1.x vintage clunker running a command line operating system that “doesn’t do windows.” Your $10,000 gateway hardware device would likely be inadequate to stop some of the intrusions I have defeated over the past 15 years using laughable hardware platforms that were running the finest network operating system ever created. You cannot purchase one anywhere, and you will *not* be excused from the requirement to study and understand how TCP/IP networks carry out their business. It will be relatively tedious. Some would say it’s down right boring, but at the end of the tunnel lies the only genuinely effective weapon you can deploy against a hostile world filled with some extremely bright and frighteningly competent attackers bent on stealing our trade secrets, copying our intellectual property, intercepting communications with your bank and credit card companies, assuming your identity if possible, or if you are an humble home computer user with no defense contracts and no ties to financial institutions, they will simply rifle through your private correspondence, read your archived email messages looking for valuables, and then move on to the next computer to do it all again to some other individual or institution. Why do they do it? Because they *CAN* !!! Why can’t folks seem to stop them very efficiently? Mainly it’s because they lack the proper tools. What are the “proper tools?” A “C average” level understanding of TCP/IP networking fundamentals, and a moderate familiarity with FreeBSD command line operations and configuration. Toss in a very old computer. One that’s totally unfit for “modern” operating systems with their lovely graphics intensive “point and click” way of doing things, and you’ll have all you need to meet would be intruders head on and turn them away empty handed. It’s sort of a digital equivalent of Habitat for Humanity. What we’re talking about here, ladies and gentlemen, is a bit of old fashioned “sweat equity.” If you are willing to endure the discomfort of learning the nuts and bolts of TCP; if you are willing to endure the discomfort of learning to configure and control a Unix based server from a command line interface where there isn’t a single thing anywhere in sight that looks even remotely “clickable,” then you are already on your way to having the capability to keep intruders out of your equipment and prevent them from stealing your identity or your money or your trade secrets and intellectual property. You won’t have to depend on Norton or Avast or Microsoft or anyone else because you will have created your gateway machine “the old fashioned way.” You will have earned it. You will understand it inside and out. In the unlikely event that it requires attention after you put it in service, you won’t need to hire a consultant like me who might charge you anywhere from $250 to $500 or more per hour to do the same work that you *can* do for yourself. There are some very clever hackers out there, but not many at all can match my experience and expertise. Know this: To defeat a hacker, you *must* know *everything* the hacker knows about intrusion and in addition, you must also know at least one thing the hacker does *not* know!!! When you have attained this level of understanding, the childish amateurs will no longer be a problem. At my level, only the cream; the “hacker elite” stand any realistic chance of penetrating (unless I have allowed them in and routed them to my Honey Pot so that I can study their methods and devise effective counter measures.) I may not be able to keep 100% of them out, but I absolutely *can* keep out 99.9995% of them, and the other .0005% of them that do get in these days inevitably end up working long hours only to discover that they have succeeded in breaking into a Honey Pot that has recorded their every keystroke so I can study it at my leisure. Don’t be a victim of shoddy software engineering! Networking does not require slick graphical interfaces, what it requires is a *System Administrator* who knows his business. One who has bothered to study TCP. Why? Because TCP is the engine that powers the internet, and the Internet is where the fish are biting, isn’t it? Al Gore did not “invent” the Internet, and neither did Microsoft. The Internet was invented at the request of the Department of Defense as a communications system to be used in the event of nuclear war with the Soviet Union. The mouse is *not* a necessary networking tool. The Berkeley Packet Filter *is* a necessary networking tool. It does not come with any version of Windows. You can’t get it from Ubuntu. Mac users don’t have it and can’t get it. There’s only one place where you’ll find it. FreeBSD. All it costs is a little blood, sweat and tears. Like anything else in this universe that’s truly worth having, a safe and intrusion-free networked computer connected to the publicly routed Internet can only be yours after you have *earned* it. You earn it by study, and by trial and error. It takes about 5 years to train a competent Sysop level Unix administrative assistant. On average it takes about 10 years of experience before you can call yourself a Unix System Administrator. It’s worth the effort. Those of you who invest the time and energy will one day be able to join me in saying “I don’t need Norton 360 because I keep them out using what I have learned through study and through trial and error.” Not only do I keep them out, but I do a consistently *better* job of it than any so-called Internet Security Suite I have yet encountered. I keep them out using a 47 year old operating system and a packet filter that was robust and mature 10 years ago and has not had a significant “critical update” in all that time. They did it right the first time and avoided the necessity to do it over and over and over day after week after month after year, as seems to be the method of some of our friends who produce operating systems for sale. I use an operating system and software that didn’t cost me a single penny. All it has ever cost me is the effort necessary to learn my craft. I *am* a Network Manager. I *am* a journeyman Unix System Administrator. I don’t call anyone for help, instead people all over the world hire me as a consultant and pay me outrageous fees to solve *their* problems working remotely over the Internet from my home. Hackers are welcome to try their luck. Some of them are very bright and once or twice a year I learn something from them. Most of them are mediocre. They are students. I am the teacher. Millions of Windows based PCs are the victim of unauthorized access every single day. Almost 100% of those intrusions can be prevented, and the few that are basically too expensive to prevent can usually be routed into a decoy file system where a clever System Administrator can record their keystrokes and study the methods they have used to work themselves into a big ugly surprise. After often 100 hours or more of difficult effort [I don’t make it easy for them] they discover that they managed to “crack” the safe, but there’s nothing inside. You can do everything I have learned to do, and the sooner you begin your journey the sooner you will be able to rely on your own skill and ingenuity instead of relying on Internet Security Suites that do a better job of harassing *you* than they do of harassing a would-be intruder intent on taking anything of value that he is clever enough to steal. Good luck. It won’t be easy, but it *will* ultimately prove to have been worth the effort. Take 10% of the time you spend at YouTube or Facebook or Twitter every week and devote that time to learning how TCP works and how to configure and control a Unix server from a plain, vanilla command line interface. In 6 months you’ll have your gateway machine up and running. A year from now you’ll feel comfortable that you are stopping everything Peter Norton’s crew can stop plus a very intense level of intrusion they don’t really address. 5 years from now you’ll be considered a Unix Guru, but you won’t really be one quite yet because some of it can’t be learned until you’ve had to confront it and over come it and that takes time. After a decade, you will have become a competent and qualified Unix System Administrator fully able to design and implement custom configurations to perform any task. And somewhere along the way, you’ll notice that the level of annoyance has decreased to very nearly zero. You’ll be down from finding traces of 10 hackers a week to something like finding traces from perhaps 10 hackers a year. Of those 10, perhaps one or two of them will have enough skill and experience to break into your decoy file system, where you can record their keystrokes and study their methods just as I do. What changes over time? You will have seen *how* they got in, and you will have made tiny changes to your firewall script and tiny changes to the way your other applications are deployed. Every time you correct the weakness that allowed one of them to gain entry, your system becomes tougher and less rewarding for the hoards of would-be intruders. Oh it’s true that many still try. I write “count” instructions in my script to give me a record of how many tried and were turned away by this or that firewall rule, and I also record what netblock they came from and if it’s a significant number I will block inbound traffic from that entire netblock. This is unfair to innocent users in that netblock, but if it keeps out a spam gang, I’ll gladly block Obama’s netblock. He can call me on the phone or send me some snail mail if he can’t get through. It’s amazing how many of them are still using techniques that I defeated 10 years ago. For every 1000 attempts, roughly four or five of them are intelligent enough to seriously challenge my defenses. These days the vast majority of them simply decide that it’s too tough a nut to crack and they move on to an unprotected Windows machine where they know that any reasonably bright 6th or 7th grader can break in with about an hour or so of effort and a bit of good luck finding a misconfigured firewall or a router set to DMZ and left there because it’s too much effort to turn the DMZ off again. Maybe they will find someone silly enough to purchase merchandise offered for sale in a piece of Unsolicited Commercial Email using their credit or debit card? Perhaps they can lure the unsuspecting user to a Warez site with promises of costly software free for the downloading and in the process they will deliver a cleverly designed trojan. I recently saw a very ingenious hacker trying to set up a virtual machine in which to run FreeDOS as a means to implement an outbound ftp server he apparently believed would be invisible to Windows NT. About that he was correct, but my Berkeley Packet Filter busted him instantly, stopped his first outbound ftp connect attempt and alerted me so that I was able to use a network aliasing command and redirect his next entry to my decoy file system where I enjoyed watching him scratch his head for over 45 days trying to figure out why it wasn’t working as planned. You will one day have stories like these of your own to tell. The sooner you begin, the sooner you’ll finish your apprenticeship.

  32. Bruce (

    “Software firewalls allow you to easily control network access” – *EASILY*???!!! – the first thing I do when debugging network connections it turn off the firewall and it amazing how often the “problem” goes away. Debugging the firewall to figure out what ports/programs/protocols need to be set to allow an application to work can be mind boggling and completely frustrating. Too often I’ve seen all ports opened up to a program because no one knew what ports/protocols the program needed to work (but it did work when the firewall was turned off).

    Final thought – I’ve never seen a case where a windows firewall alert (or a UAC alert for that matter) has ever caught or alerted someone to malware. I’m not saying it hasn’t happened (or happened but ignored), but of the security tools available (router firewall, software firewall, anti-virus, etc.) the windows software firewall appears to be the least beneficial and the source of the most configuration problems I’ve had to solve.

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!