in message
I have a four machine network, all machines going through a router
that has
a SPI firewall. I also have a software firewall on each machine.
My question is, do I need the software firewall on each machine?
The router's firewall cannot specify application rules as to whether or
not you want an application to have network access and, if so, just what
types of access that it gets (TCP, UDP, ports, time of access or denial,
etc.). The router's firewall doesn't know what application is
generating what network traffic. Only the software firewall running on
your host can do that. Do you trust everyone of your "normal"
applications won't connect without your permission or without telling
you they are connecting? Feel lucky if that is true.
Software firewalls are handy for regulating network access for
applications running on that host provided those applications aren't
smart malware programs trying to circumvent or disable the firewall
(your router's firewall can't handle malware, either, that makes
otherwise unauthorized and undeclared outbound connections). If you
want some application-centric regulation over software's OUTBOUND access
then you need a local firewall.
Don't expect your router's firewall to be much more useful that
Microsoft's software firewall. You may get some host-centric control
over Internet/network access but other than that then it won't know what
app is trying to get a connection. Routers have very simplistic
firewalls and are not equivalent to firewall appliances. Look at the
router's firewall like you look at Microsoft's software firewall: some
protection from unsolicited inbound connect attempts but nothing for
regulation of outbound connect attempts by applications (and only some
regulation based on hosts). What you get for protection depends
entirely on how potent a firewall is included in the router. Some
routers let you define rules on which hosts can connect to your
intranetwork, to other hosts and which ones on your intranetwork, which
ones get Internet (external) connects, during what times they can
connect, quotas on bandwidth, QOS, and so on, all of which is outbound
regulation (from a host to other hosts or the Internet).
Some routers' firewalls include inbound protection, like stateful packet
inspection, to protect you against unsolicited inbound connect attempts
and may even provide heuristics or rules to detect certain known type of
attacks, but all in all the router's firewall is pretty basic. It may
end up duplicating the inbound protection that your software firewall
provides but it lacks any outbound protection afforded by a software
firewall running on a local host. The inbound duplication isn't
hurtful. It just means that anything your router's firewall caught
doesn't have to be caught by your software firewall and then take CPU
cycles to handle.