Hi, everybody. Since I've been, using various firewalls, I decided to try out CFP 3.0. However, I must admit that I'm not completely sure if they care about CFP 3.0's inbound protection that much. Although, both Egemen and Melih said that they need practical proof that CFP's inbound protection is not that good, I still doubt about inbound protection. The main reason is that it seems to me that there was too small number of intruders blocked, while ZA blocked about 100 of them in one hour, CFP blocked them only 36!? So, I need a favor: Can anyone please test ZA Pro at Sunday evening/night from 5pm to 10 pm, and can someone else test CFP 3.0 also from 5pm to 10 pm at Sunday evening/night, please? The reason why I'm asking this is because my computer is on re-installation process, and I need someone who can test these firewalls how many intrusions CFP 3.0 blocked and How many ZA Pro blocked in these 5 hours straight? The reason why I'm asking this is because I tested several times ZA Pro in 3 hours period with ARP protection nabled, unchecked "Allow VPN protocols" icon, no sharing with other computers which means both firewalls are set too High level, enable Block Internet Servers, Block trusted servers, Filter IP traffic over 1394, check Lock hosts file. In 3 hours ZA Pro 7.0.462 blocked over 4000 intrusions from 6pm to 9pm at Sunday evening. I'm wondering how much will CFP 3.0 block them? Just to make an comparison, please. Thank you for your time and patience Also, this is a copy what Egemen wrote about Stateful Packet Inspection and Deep Packet Inspection: It would be too naive to claim that having a network based packet inspection can prevent malware from being downloaded and run. Network Intrusion Detection and Prevention is conceptually similar to anti virus scanning such that packets are scanned for known signatures or patterns. It adds an additional layer of security but is far from being able to stop most of the known threats, never mind the unknown ones. Malware can be trasmitted over an encrypted traffic, e.g., SSL, VPN or SSL based Jabber(IM) protocols. And even over the unencrypted traffic, detecting malware detection is not 100% guaranteed. When you compress some files and transfer it, are those packet inpections going to build the whole archieve, decompress it, and then scan? So they are svery limited and cant be assumed as the main line of defense. SPI, Deep packet inspection or intrusion detection are just another additional security layer which can not be considered the main line of defense. For server protection, it can help to protect against hackers, and automated tools. Noone considers, even for the server computers, this, as the main line of defense. you have 100% clean PC: 1 - Lets assume you have an AV software. If AV signatures did not detect a threat, after some signature updates, you will be able to detect the virus later, possibly after all the harm done. None the less, lets assume this is acceptable. This would be generally be the only way you would be infected. 2 - Lets assume you dont have an AV but an intrusion detection system which scans network packets against some signatures: Lets assume a known malware is going to be transfered: - If the malware is tranfered over an encrypted channel, you are vulnerable - If the malware is transfered over an unencrypted channel, but with an uncommon protocol that your IDS does not know, you are vulnerable - If the malware transfered, over an unencrypted channel, but with an infected setup file, you are vulnerable, especially if the file is large. - If the malware comes from another source than network, you are vulnerable At the network layer, you are quite limited in terms of detection capabilities(you have a couple of packets and that all). Consider AV programs having everything(emulation, unpacking, heuristics etc) failing to detect malware. Never mind a fragment of malware inside a packet. If your IDS does not know the malware, it can not detect it and even after the signature updates. Unlike an AV, it can do nothing after signature updates. So an N-IDS, is a nice, additional layer of security. But it is not comparable to an H-IPS and can not be trusted as the main line of the defense. Would you trust a firewall only as your main line of defense? Cheers.