Originally posted by: STaSh
There are reasons to run a firewall on the client in addition to a firewall that is in front of the network, but probably not for most home networks.
But consider if a friend brings a laptop to your house that is infected with Sasser or one of its variants. Your hardware firewall is not going to protect against that. Sasser is not the best example, since the Sasser vulnerability is not in SP2, but something else may come along that does the same thing.
Agreed. Everyone in this thread that said that you don't need a software firewall, if you are behind a NAT router device, is foolish. Good security comes in layers. Trusting your entire defense to only a single layer, is a surefire guide to failure when a "hole" appears in your single layer of defense.
I've seen this firsthand, actually, because it happened to me.
I generally run a software firewall, because well, it's just a good idea to always protect yourself (and by extension, your machine).
However, I had recently re-installed my fairly-new AMD XP2000 rig, and had taken it to a friend's house for a LAN party. Once there, I didn't bother to re-install the firewall either, because the local LAN was behind a LinkSys NAT router (connected to cable internet), and I thought that I would "be safe".
Well, partway through that weekend, I saw something that scared me quite a bit. I woke up and found a "messenger spam" pop-up on my screen, and I also found mIRC installed on my machine, but strangely, not listed in the add/remove programs. Initially, I thought that perhaps someone had installed it on my machine to use IRC while I was asleep (no password on the machine, everyone at the LAN party were personal friends). But after asking everyone, no-one mentioned installing, or even using, my machine. (There were enough machines for everyone to use, most people had their own anyways, so it wasn't necessary for anyone to use mine, although I wouldn't have minded.)
So *something* strange had happened. Knew that since I had recieved "messenger spam", that my machine was somehow exposed to the internet, unprotected, and given that and the few other strange things that had happened, I decided to re-format and re-install again, since I had just recently re-installed anyways, I wouldn't lose anything.
After some analysis of the situation, I discovered a few things - because I was not running a software firewall, my machine was r00ted by some worm, that basically allows remote-control via an install of mIRC.
The reason that my machine was even exposed "raw" to the internet in the first place was, my friend's router was mis-configured - he had his machine as the DMZ, except that the same IP was also in the range of IPs that the DHCP server would hand out. Somehow his machine got turned off, and mine got re-assigned the same IP as the DMZ - so my machine was fully-exposed due to misconfiguration.
Also, it seems as though the other machines on the local LAN also got infected, either by the same worm that hit my machine (likely), or something else, as I think that the LAN was still set up during the following week, with the misconfigured router. (I took my machine home after that weekend.)
So the moral of the story is, if you don't want your box to get r00ted, run a local firewall, no matter what. Do not depend on others for your personal (machine's) security.
(Technically, what happened is termed a "cascade failure". Implementing multiple layers of security, can stop those sorts of failures and isolate them at one level, instead of cascading through several layers and causing more problems. It is possible that, had I been running a software firewall at the time, my machine would have remained un-breached, as well as the remaining machines on the LAN might not have been infected either.)