Last Updated on November 22, 2016 by Dave Farquhar
Is the Windows Firewall safe enough? I wish more people would ask that question rather than make assumptions.
I wish I had a nickel for every time I’ve heard an unsubstantiated statement like “Windows firewall is junk.” I went looking, and the best I could find was this, an editorial that said it doesn’t do enough to address outbound connections, particularly on a program-by-program basis.
OK, point taken. But “enough” is a moving target.
For several years, I would routinely install Zonealarm on people’s machines. The problem is, most people didn’t pay attention to the alerts. They either clicked yes to everything, which defeated the enhanced security, or they clicked no to everything, which meant good software got blocked along with bad.
So when Microsoft added a firewall to Windows XP and subsequent versions, I gave up on third-party firewalls. Keeping bad-behaving programs from making outbound connections can be useful, if you’re willing to keep up with it. Then again, you can accomplish the same thing by not installing the bad-behaving program in the first place.
That’s been my general rule for a long time. I don’t install free software unless it’s licensed under an open-source license like the GNU GPL that allows outsiders to examine the source code and make sure it’s safe, or it’s from a reasonably trustworthy vendor. Yes, you can insert your favorite Microsoft joke here. I adopted that personal policy soon after spyware became a known problem–probably 2000 or 2001–and I haven’t had an instance of spyware since.
And if I install a program that legitimately needs to make an outbound Internet connection in order to work, it works without any additional pain or effort.
If I learned anything when I was doing desktop support, it’s that giving too many alerts is bad. In the days of Internet Explorer 4 or Internet Explorer 5, when it connected to the Internet, it would show a scary popup that said something like, “You’re about to connect to the Internet zone. Are you sure you want to continue?” And who knew what the “Internet zone” was, anyway? It was just a phrase Microsoft made up. In the end, it was a useless annoyance and Microsoft eventually scrapped it. After all, if I launched something called “Internet Explorer,” chances are I wanted to access something else with the word “Internet” in it, right?
Microsoft has toned it down a lot in recent years, but the vestiges remain. I still have people ask me if they should let Windows install updates, or let Flash or Java update. And it doesn’t matter how many times I assure them it’s OK. They don’t do it.
So, given the choice, I’d rather have a firewall that quietly does a decent job than a firewall that asks questions all the time. I spent nearly 10 years of my career sitting next to one firewall guy or another, and I’ve never met anyone else who wants to learn what those guys knew.
I built my first router in 2000, by installing a pair of network cards and Red Hat Linux 6.0 in my old Compaq 486 computer. I’ve been relying on the built-in firewall of a router as my first line of defense ever since. And I’ve relied on the firewall included with Windows as a second line of defense ever since getting my first Windows XP computer. Between the two, I’ve been fine.
There could be a very legitimate reason why one person might need something more. But if you can’t think of a good reason why, then what you have is probably good enough.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.