"Few things I've found out:
Network Intrusion Detection and Prevention and SPI are conceptually similar to anti virus scanning such that packets are scanned for known signatures or patterns. It adds an additional layer of security but is far from being able to stop most of the known threats, never mind the unknown ones."
Where is this said?
NIPS is seperate from a software firewall on a desktop and the two should not considered to be doing the same function.
NIPS detects or perhaps controls the connections on the LAN and a fw does the port, protocol and IP connections occuring ast the desktop.
A pure NIP uses SPI ?
Would not really recommend NIPS unless you have an enterprise network or a server.
Which unknown packets? Did they create new packets not seen before?
"Malware can be trasmitted over an encrypted traffic, e.g., SSL, VPN or SSL based Jabber(IM) protocols. And even over the unencrypted traffic, detecting malware detection is not 100% guaranteed. When you compress some files and transfer it, are those packet inpections going to build the whole archieve, decompress it, and then scan? So they are svery limited and cant be assumed as the main line of defense."
If you allow malware to enter the PC and install it, it is naturally regardless of whether this is encrypted or plain taffic. A malicious file is not handled by the firewall, juist the bad packets.
The packets sent or received are not compressed. Only the transferred file was compressed.Packets cannot be compressed.
"And as far as I remember ZoneAlarm's products at least in near past had problems with unknown malware I read this post by Paranoid somewhere on Agnitum Firewall forums."
Examples such as...? The fw itself or the antivirus scanner? Which scanner and which version? Which ZA? When? By whom? What is this agnitium- never been there- do they use the ZA there too?
"Also, let's suppose you have 100% clean PC:
1 - Lets assume you have an AV software. If AV signatures did not detect a threat, after some signature updates, you will be able to detect the virus later, possibly after all the harm done. None the less, lets assume this is acceptable. This would be generally be the only way you would be infected.
2 - Lets assume you dont have an AV but an intrusion detection system which scans network packets against some signatures:"
Which signatures? From what?
This "intrusion detection system" is a HIPS or a NIPS?
Does the NIPS actually have a blacklist from the vendor for distinctively bad packets or does this simply just reject or drop unacceptable/unallowed packets and allow only acceptable/allowed packets?
"Lets assume a known or unknown malware is going to be transferred:
- If the malware is tranfered over an encrypted channel, you are vulnerable
- If the malware is transfered over an unencrypted channel, but with an uncommon protocol that your IDS does not know, you are vulnerable
- If the malware transfered, over an unencrypted channel, but with an infected setup file, you are vulnerable, especially if the file is large.
- If the malware comes from another source than network, you are vulnerable."
And does not the firewall regulate the port, protocol and IP involved along with the connections of the applications? Would not the disallowed connections to disallowed ports and IP by disallowed protocols just be blocked anyways?
By the way is this IDS the same as you were talking about before or is this something new?
I am skipping further down, since these comments in between do not make any sense to me. I leave these for somebody else.
"................. Would you trust a firewall only as your main line of defense?"
A firewall is never the main line of defense. It is a utility that controls the port, protocol and IP and connection directions. Come to think of it, I have said this all along. I just said it again.
As far as network intrusion protection is concerned, are you running an internet server or enterprise lan?? A server (file or email or whatever) with open ports on the line facing the internet and servers on the local area network with more open ports?
I do not, so these issues you have mentioned do not apply to me or any other home user.
You got a firewall in your router, correct?
If so then there should be no network intrusions of any kind seen on your local area network?
If the router or hardware firewall by default blocked off the intrusions or unwanted connections would there still be network intrusions behind it on the loacl area network? Yes or No?
No open ports means no entry and hence no "intrusion".
Therre are no open ports of the firewall of the desktop?
It there are no open ports, then all unwanted inbound connections are automatically dropped by the firewall?
If all of the unwanted connections are dropped, then why is still a threat?
"So, how can ZoneAlarm Pro/Internet Security Suite protect from malwares when it comes to inbound protection?"
"If that's true what I wrote above, it means it's useless to have ZoneAlarm or any other firewall, unless you have HIPS."
If a user downloads a malicious file and then lets it run or executes it, then the user is an *****. Simple point and the truth.
Has not the user ever heard of something called safe hex?
"I'm not sure if OSFirewall can really catch all of the malwares, unless it's pure HIPS, than it should ask you if an completely unknown malware from the Internet is going to install while you're surfing through the Internet."
The OSFirewall is not a complete HIPS for the desktop, but a HIPS for the firewall. There is a difference. I think we covered this before.
Malicious packets and unwanted connections and malicious files and allowed connections by port & protocol & IP & application should not be mixed up.
I think this is a mistake to associate an antivirus with a software firewall and a desktop software firewall with a commercial network protection and malicious executible files with bad packets. None of these are the same, each is very differnet, and these should never be added together in the same sentence.