We are asked _all the time_ if a home user, or a business, with
a dialup, DSL, or cablemodem connection to the internet really
needs a firewall.
The quick answer is: Yes
A longer answer is: If you use an operating system with
consumer PC roots (Windows 95, Windows 98, Windows NT, Windows
2000, Mac OS thru ver. 9), it is designed to be 'relatively open'
and to be 'simple' to set up, administer and repair.
As a result, end users have graphical tools with background 'wizards'
taking care of those configuration details which cause the most
support load for 'Tech Support' at a given company. Additionally,
the target design of the customer profile is that of an end
user interested in productivity, and NOT system administration --
the secretary, or an interested hobbyist.
Unfortunately these tools have found that they cannot enforce the
discipline to require operating system level protection of system.
That is, an end user can buy and install a shrink wrapped package
on their system with minimal attention to what the install package
is doing. To permit this to happen, the end user has to occasionally
modify system level files to install updated patch files, or additional
operating system level services.
In permitting such modifications, and in permitting 'wizards', which
are based in macro processors, the tools needed for a 'Cracker' to
take over remote machines are present and unprotected on the listed
operating systems.
-------------
As an example, home and small office users have come to use the
'Appletalk' or 'Network Neighborhood' peer-to-peer local area
network convenience of sharing disk drives and printers. The
implementations have to 'discover' newly added resources, again
without material intervention from the end users.
This means that the networks tend to be 'wide open' as shipped
from Microsoft and Apple.
We found this response on a professional system administrator's
mailing list. It reflects the frustration of trying to respond
to attacks from hosts on links which have been taken over and
used without their owner's knowledge as an anonymous 'stepping
stone' to attack hosts on the public internet with commercially
valuable information.
A properly designed and maintained firewall can 'close off'
that vulnerability.
... So the answer is: Yes, you need a firewall. To protect you,
to protect your private data, and to avoid a visit from the
Secret Service (when you host turns out to be the one which was
used to steal credit card numbers), or the FBI Infra-Guard unit
when a terrorist group uses your PC as an attack vehicle
against a website run by a religious group with whom they
disagree.
