I was reading Channel 9 the other day, and I noticed this comment about software firewalls:
I use a router (Firewall) Software firewalls are a stupid waste of clock cycles imho.
I don’t actually have a Channel 9 account (because I’m lazy) but I still wanted to reply to this comment. There is one very important feature that software firewalls have that hardware (actually, external) firewalls do not. That is they can block connections on a per-process basis. So you might have no problem with Internet Explorer (maybe you do!) or Firefox connecting to a remote server on port 80, but maybe you have a problem with “random-piece-of-spyware.exe” connecting – an external firewall cannot tell the difference, but a software one can.
Of course, you still need a hardware firewall (what was that thing about “defence in depth”?) but I believe you should also have a software one as well. A good software firewall won’t waste all that many CPU cycles. They do all their work when the connection is opened anyway, and what with DNS lookups and TCP handshakes, the extra couple of cycles needed to lookup a table is pretty miniscule.