Windows versions from XP onward include a built in firewall. But is Windows Firewall enough security?
Yes. And no. Security answers are almost always complicated. But I’ll explain.
Is Windows Firewall enough security? Yes.
From a firewall perspective, Windows Firewall is enough security. There is no need for a third-party firewall. All third-party firewalls do is give you more notifications or ask you more questions, effectively turning them into nagware.
I don’t like nagware. Nagware always leads to two extremes: saying yes too much, or saying no too much. If you say yes too much, you no longer have any security. If you say no too much, nothing works and your computer becomes a glorified Etch-a-Sketch.
Windows Firewall strikes a good balance. It protects you when you connect to the wifi networks in the coffee shop, as long as you tell Windows it’s a public network when you connect. It rarely nags you and rarely blocks things. When it does block things, it’s not difficult to unblock them.
In the most secure corporate environment I ever worked in, we ran Windows Firewall on every PC on the network. We had rules that kept workstations from talking to each other and even to some servers. PCs that needed to talk to each other could, but if two PCs had no reason to be talking, we had rules that blocked it.
So the Windows Firewall is good enough to be an integral part in a really paranoid company’s security. But it wasn’t the only thing that company did. Which leads me to the counter-argument.
Is Windows Firewall enough security? No.
Because you need more than a firewall to have security. A firewall protects you from some kinds of attacks, like worms and port scans. But a firewall does very little to protect you from viruses and other security threats. You still need to run antivirus. You still need to let your computer update every month. You need to run a supported Windows version. You still need spam filtering on your e-mail. You still need antivirus. And I really, really want you to change your DNS server to one that blocks malware domains.
All of these things are important. Which one is more important depends on your unique situation. Firewalls are very important for someone who travels a lot and is always connecting to hotel and restaurant and airport wifi. Firewalls are less important for desktop PCs that spend their entire life sitting on one trusted network.
Unfortunately, there are people who remember Steve Gibson’s turn-of-the-century rhetoric that a firewall makes you invisible on the Internet, and therefore conclude that if you have a good firewall, you’re invincible. Large companies spend millions of dollars every year on security. A good corporate firewall costs around $20,000. They buy a lot more than just firewalls.
Some opportunistic attacks do hit firewalls. But a modern attack is much more likely to come via e-mail or a web page. So while you need a firewall to block those opportunistic attacks, being immune to network attacks doesn’t make you invincible. This is a little morbid, but think of it like a bulletproof vest. It protects you from bullets. But it won’t do much to keep you from getting hit by a bus.