Softwware Firewalls Completely Unnecessary and simply waste resources

I am told by a pretty well respected person in the computer/video industry that HARDWARE firewalls are absolutely essential, however SOFTWARE firewalls are a COMPLETE waste of money, resources and time. They do nothing, have never done anything to justify their existance.

He travels the world 3 weeks out of the month and when asked who is his ISP when staying at hotels and such he rattled off a list I've never heard of, but he adamently says that hands down nothing beats Norton to completely protect a machine no matter when, how, where, why is it connecteced to the Net. He travels without a Hardware firewall and maintains the same thoughts whether plugged into the company network directly at the offices or when in South Korea at a hotel.

He also insists that Norton barely touches system resources (I'm told Norton uses up to 30% when it gets busy).

Anyone have any comments to resolve this? Should I get rid of my software firewall? Should I switch to Norton?  I have been using EOD32.

Who is Participating?
Rich RumbleSecurity SamuraiCommented:
I think believing one app can secure you is totally false and utterly uneducated. As mentioned above, even hardware firewalls are actually software firewalls... the distinction is that a hardware firewall is dedicated to it's task, firewalling and maintaining sessions. A software firewall uses your pc's system resources, to be certain, but the right one can protect you even more than an anti-virus solution. ZoneAlarm for instance, it is a very capable firewall, blocking ports incomming and even outgoing if configured (ingress and egress firewalling) in addtion it can block/allow programs access to the NIC and or to register themselves as a service. Norton doesn't do that, McAfee doesn't do that.

Security isn't a Program, it is a Process. Best practices can mitigate against more threats than most people think. best practices are basically, operate day to day with the lowest privileged account possible, use admin accounts for admin purposes only, run regular updates for all software.

XP and 2003's firewall is very good at ingress firewalling, blocking incomming data.

Running multiple firewalls is also a bad idea, there are too many cooks in the kitchen, your robbing your system of resources twice over, and run the possibility of overlaping, one is blocking this this and this, and another is blocking this this and that... It's no fun for you to manage, and even worse on your resources. Your also inviting disaster with two or more programs acting on the same data, increasing chances for BSOD's to be certain.

Software firewalls are often reffered to as "personal" firewalls, an apt name. They aren't meant to protect you from a DDoS, or some other onslaught that even a hardware firewall has a hard time dealing with. They offer simple, effective protection from outsiders trying to get into your PC, zonealarm and others I'm told, also provide outbound program protection. Let's say Mr. Smarty pant's get's a zero-day virus, and it starts to scan other pc's, norton doesn't have a definition for it, it can't detect it, 0-day viri are often able to turn off the popular AV's anyway. ZoneAlarm will prompt you that xyz.exe want's to access the nic, do you want to allow/deny this? It won't tell you what the exe wants to do, or will do, just it's name and it's intention to use the NIC.

Software firewalls have their place, and I think ZA's is one of the best. A hardware firewall protects much larger connections than DSl/Cable circuits better than a software firewall, but even hardware can't detect scanning activities, and viri being sent out of them... so AV also has it's place. There is no end-all-be-all, it's a process.

A 0-day virus may not even be able do anything if you follow best practices, not to mention spy-ware being affected the same way:

I use McAfee over and over, I personally love it. It has a good firewall, good AV and Spy-ware detection as well as a good heuristics "bevaiour" engine that can block an exe from doing port scanning, downloading TFTP, sending SMTP as well as allowing you to dictate the amount of resources it can use.
I'm sorry but I greatly disagree with your friend. THe one thing I do agree on is that Hardware firewalls are better than software firewalls but software firewalls arent a complete waste of money. I have been using zone alarm for 4 years before I got my first router (and I turned that hardware firewall off because it was causing problems) and have never been hacked. Norton is by far the worst program I would reccomend anyone because of the resources it takes up. It can take up-to 50% of the resources at the time. I'd stick with the program you use, although, i ve never heard of EOD,do you mean NOD32? One good firewall, I would also reccomend Zone alarm because of my expierience with it. However, the decision is decided all upon personal preference.
I absolutley agree with the information you received that a Software firewall is a waste of money. The False sense of security that comes from most of these preloaded "security" software suites is a joke. I can not begin to tell you how many computers I have repaired from clients who said "but I was using my security software..."

The only true security is that which comes from a Hardware Firewall that provides true D.O.S.

buying the software, downloading the free ones, waste of time and money.

Besides you can purchase a very good firewall+router+multiport switch+wireless access point(all one unit) for under 200 bucks
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Like most things in life, there is no one good solution for everyone :)

Norton works well most of the time, but I have seen it go haywire on some systems and bog them down completely. If it works for you and your friend, no need to change, but if you have problems.... try a different product.

HW vs SW firewalls - they can both be equally effective. Hardware firewalls don't use any system resources, but software firewalls use hardly any, and cpu time is almost free. Hardware firewalls are not as likely to be turned off by malware, but again, if it works for you, both are OK. Software firewalls travel with you and your laptop. The difference is mostly in the details.

If you keep your system patched and use safe computing pratices, the fact is that you'll barely need either a firewall or an AV program.

To each his own...
jamroc2000Author Commented:
Yes - I meant NOD32, not EOD32...onethiong I like about is practically daily updates. My friend says Norton releases virus updates EVERY DAY but I sure can't seem to find them. Updates to me are one of the most important defenses we have, no?
jamroc2000Author Commented:
OC2Vegas:   By security software I assume you include Norton and McAfee and all of thise, correct?
Okay... a firewall ends up being software somewhere.  Whether you buy a $200 box or download something, it ends up being software.  A Cisco hardware firewall is a bunch of networking hardware, controlled by software and chips.  How those chips are programmed is software, just at a lower level.


Software firewalls are good, easily upgradable/downloadable, and great for home use.

For high-traffic applications, software firewalls can be great as well... I've seen custom Linux boxes that are firewalls for large companies that work well -- again, SOFTWARE based.

ZoneAlarm is good for home users.  It has serious problems in itself, but not so much security/firewall related.  Any software running on your computer will use up resources.


Hardware firewalls are generally a good, very high-performing, and turnkey solutions.  Since they come as a dedicated firewall, there's little processing overhead and initial setup you need to do, though configuration can be extensive!  (Note that setup vs configuration isn't the same thing.)

They can be upgraded via firmware updates, but usually not as flexible as "just download the new version."

Have you seen hardware firewalls crash?  It becomes a disaster... software solutions can be more flexible in what ways you can implement a quick contingent solution.

Overall, many good and bad points.  If you can afford a hardware firewall, great... if not, don't worry about it, software will be fine.  Those NORTON/etc packages aren't great though, so beware of those.  Look around, and don't just buy the "big name" because they try and make a simple/easy product, not necessarily a good one.

Here's a wrench... why use a firewall at all?  ;)  Firewalls are not necessary, despite proven use of them.  Firewalls are only one effective strategy:,289142,sid14_gci1191993,00.html

Some interesting articles (among many more you could find via Google)...

Turn your $60 router into a $600 router

Build your own firewall
It depends on what you mean by software firewall.  Hardware firewalls are a must but application firewalls are another great tool to have.  Dont know if you are reffering to application firewalls but I can tell you that app firewalls will also let you know when an application attempts to run or make connections.  This is important because if you are infected with Trojan viruses, the app firewall will detect the process attempting to run and you can prevent data leaks.  Most definitely hardware firewalls are you first line of defense to the outside.  Maybe add a desktop or app firewall in addition to stengthen your security.
The man hasn't a clue as to what he is talking about.  

Software firewalls do one major task that most limited function router/slash so-called firewalls do not do - control what goes out of a computer.  Some software firewalls can also lock down a machine so application changes can be detected and blocked.  Software firewalls also do port blocking and without this function alone you are bound, sooner or later, to get nailed by malware.  

I'm not impressed by Symantec's AV/Firewall product line.  Too bloated with old code, too cpu intensive, and too dificult to administer for most users.  And their AV product is not that great for spyware/adware. I don't think there is a good product out there right now, quite frankly.  If I had to pick one for my personal use I'd say BlackICE in combination with Zone Alarm.  And I use a packet sniffer when installing any new applications to see who and what they talk too.

Q:  Which is better an airplane or an automobile?
A:  Depends on where you are going.

"Better" is so subjective and application specific.  Most IT security pros will recommend DiD (defense in depth - from wikipedia "Likewise, in information security defence in depth represents the use of multiple computer security techniques to help mitigate the risk of a one defence being compromised or circumvented. An example could be anti-virus software installed on individual workstations when there is already virus protection on the firewalls and servers within the same environment. Different security products from multiple vendors may be on different vectors within the network, helping prevent a shortfall in any one defence leading to a wider failure.")

So it comes down to cost-benefit analysis.  Can you afford a hardware firewall + a software firewall?  Good do both.  Is it worth the hassle of lugging around a hardware firewall?  No?  Use a software firewall.  Can't afford a professional software firewall, use XP built in.

The most secure computer in the world is locked in a vault and never turned on.  Not very useable though... ;-)

Add as much security as you can but remember that the computer is a tool; if you can't use it, not much good.

Prioritising risks to access is useful when assigning machines to connections and end users where a limiting budget may not get you the latest bug free architecture. Data content and flow with, most definitely, a need to know requirement is time honoured as is continued computer security education with well meaning end users. However, some secrets are better left to D.O.S. rather than published.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.