What is a firewall and why do you need one?

Of the many computer security measures available to end users, none is more confusing to the novice than the firewall. I can understand why. Unlike anti-virus or anti-spyware tools, a firewall doesn't immediately telegraph what it does. I wouldn't be surprised if many people thought it was designed to prevent fires inside your computer. (It doesn't.)

I'm writing this post for novices, so please forgive any over-simplifications. Basically, a firewall is software (or hardware) that blocks malicious attacks on your computer from coming through over the internet. But wait, you might say, don't most malware attacks, like viruses, come over the internet? They do, but the difference is that with viruses and spyware, there is generally some human interaction that starts the infection: You might open an infected email or visit a bad website, for example. Anti-virus software helps in these situations where you're actively involved in the process.

But believe it or not, many, many computer attacks come over the internet even if you aren't at your desk and your web browser and email client are closed. Thanks to the millions of zombie PCs in the wild, attack computers are constantly scanning the internet, almost at random, looking for unprotected computers to attack. These zombies continuously scan for security holes (and I won't go into the intricate details of how this works), many of which are caused by Windows. It's like walking down the street, trying all the car doors to find one that's unlocked. If your computer is connected to the internet, they will find you—fast. Before a firewall was added to Windows XP in Service Pack 2, it was commonly held that an unprotected Windows machine connected to the internet would be infected with some form of malware within 20 minutes and in some cases as quickly as 4 minutes. Just plug it in, and the bad guys do their work.

So where does a firewall come in? A firewall plugs the security holes I mentioned and blocks that bad, random traffic from coming through to your computer. Anti-virus won't help you in many of these cases. You really need a firewall to stop a lot of this stuff.

The good news is that you probably already have a firewall up and running. The best firewalls are found inside router hardware (either wired or wireless) that you attach to your broadband modem. Every router I've ever tried has the firewall turned on by default, but check in the configuration tool to make sure it is. It should be easy to find. You usually need not configure it any more other than turning it on.

Don't have a router? Turn on the Windows Firewall by going to the Windows Firewall control panel (in XP or Vista). It also needs no additional configuring, and in my experience it is just as good as using a third-party firewall software product. You do not need both a router-based firewall and the Windows firewall. One will do.

Once your firewall is on, you can largely forget it and let it do its work. You may not notice this silent friend protecting you in the background, but believe me, you'll notice if you turn it off.