We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Are Software Firewalls advised in addition to hardware firewall

tometh asked
Medium Priority
Last Modified: 2013-11-16
Small Network ( 12 - 15 client nodes- 5 servers - two tape backups) Broadband gateway and  hardware firewall.

How important is it to complement the network hardware firewall with software firewalls on the clients.  And Why.  I'll need to explain and justify to the CEO next week.

It was my undersatnding that Software Firewalls are recommended as an additional layer of security against unwanted outbound traffic that might easily pass the hardware firewall in outgoing traffic.  Is this still valid.

Also what recommendations would you make for spyware utilities.  Are most well secured networks running two different spyware products on all clients?

Thanks for all advice and commentary!
Watch Question

Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013
Software Firewalls can be appropriate.  A hardware firewall typically only blocks incoming attacks.  Some can block outgoing as well, but need to be configured and even then to let the user actually work, you will likely have to permit SOME ports to be open.

a software firewall running on a computer can help ensure that no spyware/adware installed on a computer by accident is able to transmit that data out of the network.  Users must be trained appropriately, but with such training, the odds of a security breach DO go down.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Top Expert 2010
it depends on what kind of hardware firewall you are running.  many retail routers that are meant for households do not have good firewall protection.  corporate firewalls do.

there is no need for firewall software if you have a good router.  for a company, i recommend upgrading your hardware.  it will be easier to maintain and easier to troubleshoot when problems arise.  software firewalls can cause too many headaches.

as for spyware utilities....  again... it helps to have a good router.  many corporate routers will log certain kinds of spyware activity, and some will even scan incoming traffic for viruses and spyware.  you can also block known spyware IPs.  i have yet to find a spyware utility that does a super good job at cleaning out an infected system ... you have to use multiple applications to remove the baddies.  as for prevention, make sure the antispyware runs real-time.

running multple spyware products is ok  (as long as it doesnt bog system resources too much).  running two antivirus products is not ok.
Keith AlabasterEnterprise Architect
Top Expert 2008
It really does depend on the quality of the hardware firewall, your requirements and to a degree your own knowledge. Even good hardware firewalls my not have the capability to block web content for example of a certain nature.
I use PIX firewalls on my outside amd ISA server as my internal firewall giving me the best of both worlds.

This model lets the hardware firewall (PIX) filter out all aspects of traffic that I am not interested in at all and also create the connection point for my VPN's. The PIX routes allowed traffic to the required interfaces (inside, DMZ etc), create the necessary mappings between outside and inside addresses and creates the NAT condition for outgoing traffic.

The inside software fiewall controls who is allowed out, what tye of site they can visit and at what times of the day and night. It also controls the authentication requests for my clients. ISA publishes my internal servers (Sharepoint, web and mail) to the Internet, blocks attachments

So bottom line, PIX deals with the routing and permissions and access up to layer 4 ISA, as an allpication layer gateway, deals with layers 5,6 and 7 giving you a full protection system. Maybe I am old fashioned but I don't care whether you have 5 workstaions/servers or 500; its the protection needed that decids the equipment.

I have Spybot-Search and destroy for my spyware removal; I only use the one.
For security in debth or layered defense, yes you would need a software FW. But for a small operation like yours, as long as you have a good, well configured, hardware FW you should be ok.
The software FW basically does the same thing your HW fw does, just incase it get's by the hardware FW.

Spyware, Most I know run one, mainly, and if there is a problem removing something, then they temporarly use another.
Keith AlabasterEnterprise Architect
Top Expert 2008

Thanks :)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.