Don’t use software firewalls: Good advice or bad?

A common piece of good-meaning advice you’ll hear is that you should never use software firewalls. But is that good advice, or bad?

On the surface, it’s good advice. It’s much better to use the firewall built into a cable/DSL router. But the software firewall built into Windows XP, Vista, 7, and (presumably) 8 makes for a good second line of defense, so I don’t recommend disabling it.

I’ll explain further.

First, let’s talk about why you want a cable/DSL router as a first line of defense.

There is one certainty when it comes to your standard cable/DSL router: It’s not running Windows. It could be based on Linux, it could be based on Vxworks, or it could be running something else. But whatever it is, standard Windows vulnerabilities will bounce right off it.

It’s probably not running on an Intel or AMD x86 CPU either, unless you’re running DD-WRT x86 by some chance. Most commercial routers run on ARM or MIPS CPUs to keep cost and power consumption down, and they have a nice side effect: off-the-shelf exploits that assume the x86 instruction set won’t work on them. They might crash the router, conceivably, but they won’t gain access.

When you’re relying solely on a Windows-based firewall, if it fails due to a vulnerability or something else, the attacker is in and your computer is pwned. Game over.

At worst, the router will slow down an attacker. A determined attacker can query your router, figure out what it is, and perhaps find and exploit a vulnerability to break into it. But chances are they’ll move on to someone with less security. And worms and other malware prowling the Internet for hapless unpatched Windows boxes to infect will just keep on moving.

But what if they do break in? Well, then they’re sitting on your router. They’re on the perimeter of your network and they can do some things, but they aren’t on your computer yet.

Some people will use two routers instead of one, because of this. The thinking being, fine, you got through my Linksys, but now if you want to get any further, you’ll have to get through my Netgear. If you happen to have an 8-foot fence and a gate around the perimeter of your property to keep paparazzi out, then you’re probably a good candidate for that kind of setup. But if you’re an ordinary person who’s not likely to be a direct target, it’s overkill.

But it’s good to have some kind of additional protection, just in case. The firewall built into Windows would be fine.

Note that I said the firewall built into Windows is fine. There are third-party software firewalls, but there’s no reason why they’re any more effective than what you already have. In one significant way, some of them are worse. Many of them nag you any time any program tries to access the Internet and ask for permission. And in most cases, that leads to complacency. Either you say no all the time, and nothing works, or, more likely, you say yes all the time and end up having minimal protection. The firewall built into Windows gives you a reasonable balance and doesn’t cost you any extra money.

That firewall won’t be impervious, but given the limited computing resources available on a router, most attackers won’t think it’s worth the trouble. The combination of the two is enough to keep all but a determined attacker honest. If your house’s security is less than that of a minimum-security prison, your network can probably get by with the combination of a commodity, consumer-grade router, backed up by the built-in Windows firewall.

One thought on “Don’t use software firewalls: Good advice or bad?

  • October 10, 2011 at 1:04 pm
    Permalink

    This is an interesting post. I’ve never really heard the argument that hardware firewalls are intrinsically better than software-based ones, and I’m not sure that I agree with it. I think that hardware-based firewalls are probably, as a whole, better “out of the box” than software-based ones. From a security point of view, it would be better if, when either one fails, that they fail to an “all-closed” state rather than an “all-open” state, and maybe that’s one difference between the two. I’d rather come home and find all ports blocked rather than all ports open.

    The biggest problem with firewalls is that, to make your network useful, you have to poke holes in them. The best firewall in the world won’t stop a SQL Injection attack, because by design, SQL is allowed through the firewall. Combine that with the approach that many corporate firewalls seem to take (“everything outbound is okay”) and you can set yourself up for bad news with a strong case of false security.

    Firewalls are a great way to explain the security triangle (secure/usable/cheap) to people that don’t understand the concept. 😉

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux