That was my post you read. While I know it creates a lot of controversy to "slam" one of the most popular firewalls in existence, I only do this because I know something. Let me try to explain:
While I understand that ZoneAlarm might not get infected as quickly due its ability to hide ports and its mature HIPS, and while it is possible that my two colleagues were indeed using P2P or visiting rogue websites, I have four things I can tell you:
First, both machines were infected with IRC Flood, which was one of the trojans that was piggybacking these worms. Second, and as you've already read, ZA does not have SPI (Stateful Packet Inspection). Third, while neither of the first two issues actually prove that it was the botnet worms that carried this trojan in, I've cleaned out machines with three other brands of firewalls that all had the same infection. The other three firewalls were Comodo, Sygate, and two different versions of McAfee (AOL S&SC and MSC). Can you guess what all four of these firewalls have in common? No SPI!!! Finally, there are two computers in my home network (we have a wireless router with a NAT firewall, not SPI). My grandma's machine was using MSC (McAfee Security Center) courtesy of Comcast. I had to disinfect her machine two or three times before I saw on the news (October 9) what was happening. I had BlackICE on my machine toward the beginning, but I've had Safety.Net since about the end of October. My machine has never been hit.
Here's an article that talks about the botnet/worm "epidemic": http://www.nytimes.com/2007/01/07/technology/07net.html?_r=1&hp&ex=1168146000&en=d8e4c5dbbdaaa422&ei=5094&partner=homepage&oref=slogin
And here's an article that talks about the difference between ZoneAlarm and BlackICE, an ICSA-certified SPI firewall. Mind you, this letter is seven years old, and it's from ISS (the makers of BlackICE), but the information is all true: http://www.iss.net/security_center/advice/Support/KB/q000132/default.htm
Bottom line: All the machines I've cleaned in the past three months with IRC Flood have had "simple" firewalls (non-SPI) on them. I've cleaned one person's machine that actually had BlackICE on it, but I didn't find IRC Flood on it, and he uses LimeWire and clicks every e-mail link in his inbox that says anything about sex (I've long since given up trying to get him to stop; he won't.).
The botnet worms I've been talking about are coming from infected zombies. The worms are self-propagating. They generate random IP addresses and see if they get a response. In cases of simple firewalls such as ZoneAlarm, your only hope of avoiding infection is for all requested ports to be hidden. If they are not, and if a trusted application is assigned to any one of those ports, the worm now has open entry, and ZoneAlarm will not stop it. It may try to block the IRC Flood trojan from phoning home, but the bad news is that you are still infected.
Here's how stateful firewalls work: Whenever you open an Internet application, the firewall loads this information into memory on a "state table." It keeps track of the syntax and the ports in use by the application, and monitors the corresponding incoming packets in sequential order. By doing this, the firewall knows whether or not an incoming packet is part of a handshake that you, the user, solicited. In addition, modern SPI firewalls use "deep packet inspection." Packet headers can be spoofed, so newer-generation SPI firewalls will inspect the full contents of every packet to verify consistency. And unlike simple firewalls, which are basically application switchboards, a stateful firewall monitors ALL incoming traffic, whether the communicating application on your machine is trusted or not.
Don't get me wrong. SPI firewalls have their weaknesses too. Their whole deal is to keep intruders out. That won't stop you from visiting a rogue webpage and exposing yourself to drive-by infection; if you solicited the connection, it's not considered an intruder. In fact, I'll be honest with you...ZoneAlarm would be more likely to block something like that than my firewall (Safety.Net) would be. But I try to use discretion when I surf. I use Opera most of the time, and I have SiteAdvisor installed in IE and Firefox Portable. In addition, I do follow my own rules. In case you've read my posts about not visiting any site that's not green, understand that I don't do this either. I also use Cyberhawk on top of my other security software. And my machine hasn't seen an infection in over a year (other than tracking cookies)!
As you may already have read, there are four firewalls I'm acquainted with that have stateful inspection. Once again, they are BlackICE, Kerio, Safety.Net, and Jetico. The free version of Kerio doesn't have HIPS, and could be vulnerable to a buffer overflow attack, but you could augment this with a dedicated HIPS product like Novatix Cyberhawk, which is also free. As an added bonus, Cyberhawk is much, much quieter than ZoneAlarm's, Comodo's, or Jetico's HIPS; and yet, according to Ian "Gizmo" Richards, it's the most effective non-sandbox HIPS available.
My intention is not to upset anyone, and I haven't been posting this "propaganda" all over CNET because of anything personal against ZoneLabs, Comodo, or anyone else. And no, I'm not getting kickback from Sunbelt, ISS, NetVeda, or Jetico either. I just want to share with you some information I have that I consider to be invaluable. Do whatever you want with it; I promise I won't lose any sleep over it. As long as MY system (and now my grandma's as well) stays clean, it makes no difference to me.