I see the advice going around, again, to disable the Windows firewall and rely on an external router, the justification being that it makes your computer “invisible.” It doesn’t. Only IPV6 can do that–and then, only if you don’t use it for anything.
The trouble with that advice is that there are botnets targeting routers. Routers are nothing special; they’re small computers running Linux on an ARM or MIPS CPU, typically outdated versions with old vulnerabilities that can be exploited by someone who knows what to look for. One example of this is the Aidra botnet. Typically Aidra is used to attack outside targets, but it’s not outside the realm of possibility for an infected router to turn on and attack the machines it’s supposed to protect. And if you’ve turned off your firewall, then you have no protection against that.
Some people don’t like Microsoft. I get that. I was anti-Microsoft in the late 1980s, before most people knew what Microsoft was. I’m still not a big fan. But the Windows firewall works. Since Windows XP SP2 shipped with an integrated firewall turned on by default, Windows-infecting worms have virtually disappeared. They were epidemic a decade ago. It’s worth the overhead. My little netbook with 2 GB of RAM in it can afford the overhead for that and more and still run fine, so leave the firewall on. It’s difficult today to buy a computer with less than 4 GB of RAM in it.
Plus, the firewall protects you when you travel. When you join a wireless network at the library, a hotel, or a coffee shop, and your laptop asks if it’s a trusted network, you say no. It’s an untrusted network.
What about vulnerabilities in the Windows firewall, one might ask? One of those turns up every 2-3 years. They aren’t common. So if your firewall is on, then someone has to find a vulnerability to bypass it, making the attack that much more complicated, and impractical. If your firewall is off, they can just march right in.
Routers are great. They let multiple computers share an Internet connection. And, at least to some degree they add another layer of protection. But that extra layer is properly used as additional depth, not a substitute for something running locally. Of all the major vendors, only few are good about releasing security updates. The practice of setting up routers and forgetting about them, common for the last 13 years or so, is a time bomb.
So if you need a router, buy a router. I like the Asus RT-AC66U . If you need security, turn on your Windows firewall, make sure you’re installing your patches, your antivirus software is running, and that you’re running EMET. And the next time your router fails, replace it with an Asus.