How often do the bad guys on the Internet try to get into your computer?

While writing this article, I ran a test. Although my computers are typically behind a router whose firewall deflects unsolicited incoming connections, I put a computer in the DMZ of the router.

Computers in the DMZ are treated by the router as if they were directly connected to the Internet. This is a logical thing, no wires are moved around. Being in the router’s DMZ lets the personal firewall program (ZoneAlarm in this case) see all the incoming traffic, unfiltered by the firewall in the router.

Below is a summary of the unsolicited incoming connection attempts for a random hour:

5:51PM 1 connection
5:46PM 1 connection
5:41PM 17 connections
5:31PM 1 connection
5:14PM 2 connections
5:06PM 2 connections
5:05PM 1 connection
4:59PM 1 connection
4:58PM 2 connections
4:54PM 1 connection

Earlier this month, I wrote about how some poking around inside my router revealed unsolicited incoming connection attempts from China (Are Chinese Hackers Attacking Your PC?).

Two Firewalls Are Better Than One

As noted above, for a personal firewall running on your computer to see unsolicited incoming connections, it needs to be logically placed in front of the firewall in the router. If the router’s firewall does such a good job, do you even need a firewall application running on your computer?

Yes, you do. If for no other reason than two levels of protection are better than one.

A personal firewall does something the router-based firewall can't - protect your computer from other computers on the same Local Area Network (LAN).

You may trust the other computers on your LAN, but you shouldn't, malware happens.

Laptop users face the issue of traveling, where you are forced to share a network with total strangers. Using the Internet in a hotel room, for example, you don’t want the person in room 602 to be able to see the files on your computer.

I recently suggested traveling with a small dedicated travel router just for the firewall protection.

Windows users that really care about computer security need to install a personal firewall to get outbound filtering. (I'm not familiar with the outbound control offered by the default firewall in Macs or any Linux distributions). This, however, is a coin with two sides.

Firewalls offering outbound control are noisy. That is, they pop-up alerts asking questions about whether to allow certain network communication. This is to be expected at first, and will die down over time, as the firewall is instructed about what to allow and what to deny.

But alerts about outbound activity will never fully go away. These alerts can be confusing and loaded with techie jargon. Even alerts worded in plain language can be too much for non-techies to deal with. The price of security has always been inconvenience.

It's a tough call whether the hassle factor of outbound control in a personal firewall is worth the protection it offers. Certainly it is for techie computer users, but for normal people, it's not so clear.

I was fortunate enough to get started with ZoneAlarm before my computer was protected by the firewall in a router. ZoneAlarm defaulted to popping up an alert any time it blocked an unsolicited incoming connection. It was a great way to see, in real time, just how dangerous the Internet is and how necessary a firewall is. I soon figured out how to turn off these alerts, but the lesson learned has persisted.

Not running a personal firewall while connected to a network is the computer equivalent of not wearing seat belts. You may be fine today and tomorrow, but some day you'll probably regret it.