Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.


CNET Support

General discussion

Router firewall; on or off?

Oct 3, 2005 2:43PM PDT

I searched this forum on this subject but haven't seen clear answer. I always turn my router firewall off because I thought it's a bad idea to run 2 firewalls. But then, I see many people use both and say that they work differently. Which one is the correct set up?

By the way, my wireless router is Motorola.

Discussion is locked

- Collapse -
For What it's Worth, I use....
Oct 3, 2005 3:02PM PDT

a D-link wired router with firewall enabled as primary stopper and have my XP firewall engaged behind it for back up and have had no problems with this set up. Not perfect protection but I'm fairly comfortable and results have been complete protection (so far LOL!). Happy

- Collapse -
Two way firewalls! Who's buying?
Oct 3, 2005 8:03PM PDT

The proximity of your inquiry begs for clarification.A router is considered a very good hardware firewall.It employs as one of its advantages the ability to inspect all incoming data through a process known as stateful packet inspection.The router is in its own right a separate address,being a component and therefore adds another demension to its popularity through making any computer connected to the hardware virtually invisible.That is,your personal computer,its respective address is not available to the internet.However one of the limits as to a routers place on our respective desktops is that a router does not provide two way monitoring.That is, its usefulness is limited for the most part with information coming in not going out.The need as to a particular computer is to provide a software firewall that provides a two way ability of what comes in and what goes out thereby increasing the security.Being behind if you will a corporate identity through a router is further enhanced with a good two way software firewall like a ZoneAlarm firewall.This type of defensive posture is very effective in providing increased privacy rules and greater protection.Though the prior poster suggests the Windows firewall,SP1 or SP2 it doesnt matter because neither of the two firewalls provides the ability to monitor outgoing information.The result would provide the black hats of this world with the ability to dial out once they have gotten in-I would recommend look to a two way ability in your computers firewall so that you might in fact enjoy some privacy.This particular defensive positioning must be supported and much more is required if indeed you are to stand a chance not to be taken down by a virus or some other unearthly form of malware.

- Collapse -
Bewary of the Grey Area!
Oct 3, 2005 8:22PM PDT

There is no point in half measures!

- Collapse -
Well, I'll turn it on then.
Oct 3, 2005 8:52PM PDT

I don't use Window Firewall in any of my notebooks. 2 of them use Norton, one uses Sygate and the other uses ZA. I'm trying to switch out from Norton but need to try out which one I like first.

Thanks for the explanation Kingdom Happy

- Collapse -
Abosolutely correct ! I would recommend same.....
Oct 4, 2005 3:05PM PDT

(perhaps not ZA given recent events) for any user. I'm lazy and use so many scanners/protectors/blockers etc that I'm OK with my set-up which includes full scans before connecting to net always. Some times neophytes have problems correctly setting up permissions for all programs needing access (& may not even realize that program XXX needs access) so a 1 way may be better than nothing 'til they know their systems better. Thanks for the post. Happy

- Collapse -
The reason
Oct 4, 2005 7:14AM PDT

I believe the reason why people say that two firewalls should not be used on the same computer is because they often interfere with eachother. A router is not on yoru computer. I use a router as well as NIS2005. As stated above one stops inbound (The router) And one stops outbound (NIS2005 or another software firewall). They won't interfere with eachother.

- Collapse -
The more the best (on some cases)
Oct 7, 2005 9:29PM PDT

You should definitely turn it on, why?

Well now a days, the Internet is getting worse in terms of risk and security issues, so you should definitely turn it on and add an extra layer of security to your entire network.

It should not cause you any problem combining 2 firewalls, as long as 1 is hardware based (like your router's)and another software based (installed on each computer).

What you won't do is combining 2 software firewalls on the same computer running together, that may cause confussion between them and on some ocassions crashing, but on my own i run 2 software based firewalls(panda and blackice) and don't have any problem else when trying to use p2p progs or bittorent.

So it's your bet.

Jorge R.
Mexico City

- Collapse -
A simple answer
Oct 8, 2005 12:00PM PDT

Using your router's firewall will make your computer virtually invisible to the internet since anyone or anything trying to probe your connection will only see your router and not your computer.
It's really the only way a router can work and it's called NAT "network address translation". Every computer connected to the router is assigned it's own unique address by the router, so every transaction can be coordinated by the router within your home network reguardless of the internet.
The only benifit of using a software firewall is if you don't have a hardware firewall and the fact that they defend against malicious software.
The only problem with software firewalls is that they tend to eat up system resources, whereas hardware firewalls don't. So you have to decide, do you use a software firewall or a good spyware program to protect against malware.

- Collapse -
Maybe the answer is too simple
Oct 10, 2005 2:01AM PDT

Everyone should go back up the thread and read #3 by ''tobeach''. He gave a good and complete answer.

If you turn off your software firewall you are leaving yourself vulnerable to allowing information to be sent from your computer among other things.

Say for instance, you see a piece of interesting software (game, music, etc.)and decide to download it and give it a try. Now suppose the software had a trojan aboard that loaded a key logger. Once you finished the installation of the software and started typing away, all your input would be visible to someone somwhere out there in netsville. The hardware firewall would not have stopped your initial download of the bad file and is not designed to stop the outbound data because it is assumed that if you are intentionally sending something to someone. Your only weapon against this and similar threats is the software firewall. That's why the large majority of people use them..''outbound protection''.

Telling people that the software firewall is an unnecessary security component is sending them trouble. As for the system resources used by the firewall I can't say what percentage of system resources is used because I'm sure it depends on the brand of firewall and the total resources available. I use Zone Alarm Pro and have for years and I have never been able to see that it is using a noticeable portion of my system resources. For that matter most computers in this day and age have enough RAM and hard drive capacity that overburdening of system resources is almost a non-existent phenomenoma in normal computer use.

- Collapse -
Oct 9, 2005 10:03PM PDT

Good question... I have a small workgroup at work. each PC has Norton Systemworks Internet Security firewall. One is W2000Pro, the other 3 are XP Pro with SP2. I use VPN to my home to 2 XP Pro with SP2. One at home has Norton Systemworks Internet Security firewall, the other I've been using McAf to scan all in the workgroup for virus (catches 1 or 2 a week - always coming in e-mail).
I have Linksys BEFVP41 VPN Routers on each end. At work Comcast makes me use their RCA Modem. At home I have Linksys WRK54G Wireless G to my notebook WPC54G. I replaced my tried and true home BEST cable modem with Linksys BEFCMU10 ver.3 . Then I couldn't see any of the workgroup computers on the other side of the VPN - from either side. THE FIRST THING LINKSYS TECH SUPPORT DID WAS HAVE ME TURN OFF ALL SOFTWARE FIREWALLS ON EACH COMPUTER. BINGO ! I now see them all.

- Collapse -
A possible answer
Oct 10, 2005 2:26AM PDT

I'm not sure I follow your layout but it sounds like you have a router at work and two(?)routers at home.

I can understand tech support telling you to turn off your software firewall as a diagnostic step in solving your problem. However, I doubt seriously that they meant for you to leave it turned off. My guess is that you haven't correctly set up the software firewall.

If all your home computers don't have the same local network name and haven't been given membership in the local network via the firewall they will not see one another or the router. I assume from the size of your network that you do not employ a server and thus operate as a "workgroup". That means each computer has to be configured to use that workgroup's name and each has to be given firewall permission to access the local network using that workgroup name.

Being able to share folders across a network composed of a mixture of Windows 2000 and Windows XP computers is very possible but the setup on the differning computers can be trying. The Xp sharing setup is more restrictive than is 2000.

- Collapse -
Is- It -Safe?
Oct 10, 2005 4:54AM PDT

I would like to know the answer to that also. I have a router and just one PC. I have Norton System Works which includes a personal firewall, and that's on also. Where I get lost is when people tell me it's OK to have both of them on. They say, using a router makes it next to impossible to be hacked or for viruses to get through. Is that true?Are you safer with a router? If you have a router do you need Firewall software? Thank you. -- Ray.

- Collapse -
Hope this helps
Oct 11, 2005 11:24AM PDT

Since you already a router and a software firewall, I would go ahead and use both, unless you begin to notice your system speed going down. The router firewall comes in handy because the hackers with the skill required to get past the firewall focus on corporate targets where the potential yield will be much higher. If it comes down to you having to choose one or the other, I would go ahead and go with the software firewall. It provides adequate protection from hackers for the normal user, and it usually includes software that prevents the installation of malicious software and viruses. The problems that once caused conflicts between running two firewalls have been mostly resolved however, so hopefully you won't have to make a choice.
Another thing to be aware of is that in systems running SP2 of XP, there is a built in firewall. Since you have SystemWorks, I would disable this as it probably won't have any additional benefits and will only eat up system resources. To do this go to the Control Panel and there should be (in Classic view) an icon that says Windows Firewall. Double-click on it and turn it off. Also, don't forget to encrypt your network if you have a wireless one.
I hope this helped you make a decision, it basically comes down to weighing the pros & cons of each decision.

- Collapse -
If you just have 1 computer
Oct 17, 2005 3:09AM PDT

If you just use 1 computer there's no need to use a router, the router is designed for sharing one internet connection or sharing between computers.

Although it's true that adding a router adds an extra security layer, first hiding your computers from the rest of the internet, since it performs NAT (network adress translation), from the outside you can see just 1 connection eventhough at the inside of your network it has many computers connected.

Second: the SPI (stateful packet inspection) firewall which checks evey packet sent and recieved and verifies it was solicited , and the destination is correct, that it's nor corrupted, etc.

So it's an extra layer of security, but if you just have 1 computer and won't share your connection you don't need a router, just get sure to have a good software firewall, and don't just rely on Win XP SP2 firewall, nor Symantec Internet Security firewall, i shall recommend for best Zone Alarm, Black Ice, etc.

Consider that your protection is as good as updated it is, so your software firewall, would be updated every week or more, but the router firewall is not updated so don't just trust on having a router firewall, it gives you an extra layer of protection and make it harder to hack your network, but won't stop virus , spyware and others.

Also you can look for all in one solutions, which includes : router, firewall, antivirus and spyware protection in a box.

PS: also check my other post here

Jorge R.