Quick Links

There are two types of firewalls: hardware firewalls and software firewalls. Your router functions as a hardware firewall, while Windows includes a software firewall. There are other third-party firewalls you can install, too.

In August 2003, if you connected an unpatched Windows XP system to the Internet without a firewall, it could be infected within minutes by the Blaster worm, which exploited vulnerabilities in network services that Windows XP exposed to the Internet.

In addition to demonstrating the importance of installing security patches, this demonstrates the importance of using a firewall, which prevents incoming network traffic from reaching your computer. But if your computer is behind a router, do you really need a software firewall installed?

How Routers Function as Hardware Firewalls

Home routers use network address translation (NAT) to share a single IP address from your Internet service provide among the multiple computers in your household. When incoming traffic from the Internet reaches your router, your router doesn’t know which computer to forward it to, so it discards the traffic. In effect, the NAT acts as a firewall that prevents incoming requests from reaching your computer. Depending on your router, you may also be able to block specific types of outgoing traffic by changing your router’s settings.

You can have the router forward some traffic by setting up port-forwarding or putting a computer in a DMZ (demilitarized zone), where all incoming traffic is forwarded to it. A DMZ, in effect, forwards all traffic to a specific computer – the computer will no longer benefit from the router acting as a firewall.

wrt54g-wireless-router

Image Credit: webhamster on Flickr

How Software Firewalls Work

A software firewall runs on your computer. It acts as a gatekeeper, allowing some traffic through and discarding incoming traffic. Windows itself includes a built-in software firewall, which was first enabled by default in Windows XP Service Pack 2 (SP2). Because software firewalls run on your computer, they can monitor which applications want to use the Internet and block and allow traffic on a per-application basis.

If you’re connecting your computer directly to the Internet, it’s important to use a software firewall – you shouldn't have to worry about this now that a firewall comes with Windows by default.

windows-firewall-control-panel

Hardware Firewall vs. Software Firewall

Hardware and software firewalls overlap in some important ways:

  • Both block unsolicited incoming traffic by default, protecting potentially vulnerable network services from the wild Internet.
  • Both can block certain types of outgoing traffic. (Although this feature may not be present on some routers.)

Advantages of a software firewall:

  • A hardware firewall sits between your computer and the Internet, while a software firewall sits between your computer and the network. If other computers on your network become infected, the software firewall can protect your computer from them.
  • Software firewalls allow you to easily control network access on a per-application basis. In addition to controlling incoming traffic, a software firewall can prompt you when an application on your computer wants to connect to the Internet and allow you to prevent the application from connecting to the network. This feature is easy to use with a third-party firewall, but you can also prevent applications from connecting to the Internet with the Windows firewall.
windows-firewall-prompt

Advantages of a hardware firewall:

  • A hardware firewall sits apart from your computer – if your computer becomes infected with a worm, that worm could disable your software firewall. However, that worm couldn’t disable your hardware firewall.
  • Hardware firewalls can provide centralized network management. If you run a large network, you can easily configure the firewall’s settings from a single device. This also prevents users from changing them on their computers.

Do You Need Both?

It’s important to use at least one type of a firewall – a hardware firewall (such as a router) or a software firewall. Routers and software firewalls overlap in some ways, but each provides unique benefits.

If you already have a router, leaving the Windows firewall enabled provides you with security benefits with no real performance cost. Therefore, it's a good idea to run both.

You don’t necessarily have to install a third-party software firewall that replaces the built-in Windows firewall – but you can, if you want more features.