Hasil Test Firewall: Menguji Kehandalan Firewall

Proloque:
Amir adalah seorang user W!nd*ws yang telah mengupdate SP2 dan menggunakan AV scanner resident (up to date), tetapi konfigurasi firewallnya kurang baik. Setiap saat browsing/surfing selalu ada celah bagi hacker/virus masuk ke dalam PCnya melalui port/protokol yang terbuka.
Budi tidak menggunakan SP2 dan AV scannernya hanya sesekali diupdate, tetapi hacker/virus tidak bisa masuk ke dalam PCnya karena firewallnya bekerja dengan baik (selain menon-aktifkan ActiveX dan script). Pada saat merebaknya Worm Blaster, firewall Budi mendeteksi dan menghadang serbuan thd panggilan koneksi pada port RPC dan Netbiosnya. Untung sang Firewall bekerja dengan baik, keep silent. Aman!

Diantara kita mungkin banyak yang berpikiran seperti Amir, merasa aman karena selalu mengupdate SP2, AV dll. Memang update teratur dapat menambah keamanan pada internet, tetapi pernahkan kita berpikir: Berapa hari sekali kita mengupdate SP, AV, dll? Update SP dan AV disediakan pada saat virus/exploits baru telah muncul (mungkin beberapa hari/minggu? setelahnya). Bagaimana jika kita menjadi orang pertama yang mengalami serangan virus terbaru (from the first hand?). Semoga saja sih, tidak. Tetapi jika hal itu terjadi maka firewall adalah pintu pertahanan terakhir kita, sebelum virus/exploits masuk ke dalam PC lewat internet.

Saat ini para hacker terus bekerja menciptakan virus baru dengan metode penyusupan dan akibat yang lebih canggih, mungkin belum mampu kita bayangkan. Sampai suatu saat kita berteriak "Worm Blaster apa lagi nih, shutdown dhewe, cannot boot, eeeek, damn...... Hardisk formatted, programs reinstalled.

Attention:
-Berikut ini adalah hasil firewall di 2 site: PCFlank (www.pcflank.com) dan Shields Up (www.grc.com)
-Kedua site dipilih karena dianggap cukup independent (bukan developer firewall walaupun menyarankan penggunaan firewall tertentu), terutama PCFlank yang menyediakan beberapa macam test (stealth, browser, trojan, advanced port scanner, dan exploits test).
-Tujuan test firewall ini adalah memberikan gambaran bagi pengguna internet ttg pentingnya keamanan thd serangan dari luar shg pada akhirnya memicu penggunaan/optimasi firewall.
-Rata-rata test tsb membutuhkan waktu 2 menit (koneksi dial-up/prepaid, modem 56 kB, iexplore 6.0, Outpost Firewall, XP, P IV (kelas ekonomis), mem 256 MB. 
-Hasil Test tidak menjamin 100 % keamanan PC thd serangan lewat internet (virus, exploits, hacking, spyware, cookies, dll), terutama untuk waktu x2 mendatang.
-Hasil Test tidak mutlak menentukan aman/tidaknya suatu Port, untuk lebih pastinya lakukan test di site x2 lain (lihat topik: Sudah Amankah PC Anda...)
-Hasil Browser Test adalah relatif karena penerimaan cookies/history pada suatu browser relatif individual (tergantung dari selera pengguna sendiri). Pembaca dipersilahkan mencoba dan melihat hasilnya sendiri.   
-Semua Hasil Test sudah diedit dgn Notepad utk segi kenyamanan pembacanya, tetapi isi dan maknanya tidak dikurangi/ditambahi.
-Hasil test ini tidak disponsori oleh Outpost Firewall dan tidak bermaksud menunjukkan kehebatan suatu firewall dibandingkan firewall lain, tetapi: "firewall yang disetting dgn baik/optimal akan memberikan keamanan dan kenyamanan bagi penggunanya".
-Semua Hasil Test dilakukan pada awal November 2004 by Jakala_2

================================================
#Stealth Test#
The results of Stealth Test
We have sent following packets to TCP:1 port of your machine:

TCP ping packet
TCP NULL packet
TCP FIN packet
TCP XMAS packet
UDP packet
Here is the description of possible results on each sent packet:
"Stealthed" - Means that your system (firewall) has successfuly passed the test by not responding to the packet we have sent to it.
"Non-stealthed" - Means that your system (firewall) responded to the packet we have sent to it. What is more important, is that it also means that your computer is visible to others on the Internet that can be potentially dangerous.

Packet' type    Status 
TCP "ping"    stealthed 
TCP NULL    stealthed 
TCP FIN        stealthed 
TCP XMAS    stealthed 
UDP               stealthed 

Recommendation:
Your computer is invisible to the others on the Internet!

--------------------------------------------------------------------------
#Browser Test#
Results of the test:
Cookies check
Your computer may save special cookies on your hard drive that have the purpose of directing advertising or finding out your habits while web surfing.
Recommendation
We advise you to get personal firewall and/or anti-spyware software. We recommend AdAware Plus.
If you already have a firewall or anti-spyware program adjust it to block cookies. You can also block cookies using your browser if it supports cookies blocking feature
Referrer check

While visiting web sites your browser does not reveal private information (called 'referrer') about previous sites you have visited.
Recommendation
Your browser (or firewall) set to block referrer so there is no risk to your privacy. 

----------------------------------------------------------------------------------------------------------
#Trojan Test#
Results of the test
We have scanned your computer' ports used by the most dangerous and widespread trojan horses. Here is the description of possible ports' statuses:

"Stealthed"(by a firewall) -Means that your computer is invisible to others on the Internet and protected by a firewall or other similiar software;
"Closed" (non-stealthed) - means that this port is closed, but your computer is visible to others on the Internet that can be potentially dangerous;
"Open" - Means that this port is ready to establish (or has already established) a connection with remote address. It also means that your computer is vulnerable to attacks and could have been already hacked or infected by a trojan/backdoor;

Trojan:                    Port        Status
GiFt                        123      stealthed
Infector                  146      stealthed
RTB666                 623      stealthed
Net-Devil               901      stealthed
Net-Devil               902      stealthed
Net-Devil               903      stealthed
Subseven             1243    stealthed
Duddies Trojan   1560    stealthed
Duddies Trojan   2001    stealthed
Duddies Trojan   2002    stealthed
Theef                     2800    stealthed
Theef                     3000    stealthed
Theef                     3700    stealthed
Optix                      5151    stealthed
Subseven             6776    stealthed
Theef                     7000    stealthed
Phoenix II              7410    stealthed
Ghost                    9696    stealthed
GiFt                        10100   stealthed
Host Control        10528   stealthed
Host Control        11051   stealthed
NetBus                 12345   stealthed
NetBus                 12346   stealthed
BioNet                   12348   stealthed
BioNet                   12349   stealthed
Host Control        15094   stealthed
Infector                 17569   stealthed
NetBus                 20034   stealthed
MoonPie               25685   stealthed
MoonPie              25686   stealthed
Subseven            27374   stealthed
BO                         31337   stealthed
Infector                 34763   stealthed
Infector                 35000   stealthed

All Trojans' ports we scanned are stealthed (probably by a firewall). This means your system is not infected by any of these Trojan horses.

Recommendation:
The absence of a Trojan horse on your system does not mean this problem cannot happen, of course. Anti-virus and/or anti-Trojan (we recommend Tauscan or PestPatrol) software should be installed and used on your system. If you already use this type of software on your system, its virus definitions (virus database) should regularly be updated.
We also recommend you to pass the Stealth test to determine if your system is absolutely stealthed and invisible to the others on the Internet.

------------------------------------------------------------------------
Results of Advanced Port Scanner
TCP CONNECT scanning (scanned in 21 seconds)

We have scanned your computer' ports used by the most widespread trojan horses. Here is the description of possible ports' statuses:
"Stealthed" (by a firewall) -Means that your computer is invisible to others on the Internet and protected by a firewall or other similiar software;
"Closed" (non-stealthed) - means that this port is closed, but your computer is visible to others on the Internet that can be potentially dangerous;
"Open" - Means that this port is ready to establish (or has already established) a connection with remote address. It also means that your computer is vulnerable to attacks and could have been already hacked or infected by a trojan/backdoor;

Port:    Status Service  Description
21         stealthed     FTP             File Transfer Protocol is used to transfer files between computers
23         stealthed     TELNET     Telnet is used to remotely create a shell (dos prompt)
80         stealthed     HTTP          HTTP web services publish web pages
137       stealthed     NETBIOS Name Service          NetBios is used to share files through your Network Neighborhood
138       stealthed     NETBIOS Datagram Service    NetBios is used to share files through your Network Neighborhood
139       stealthed     NETBIOS Session Service        NetBios is used to share files through your Network Neighborhood
1080     stealthed     SOCKS PROXY                      Socks Proxy is an internet proxy service
1243     stealthed     SubSeven     SubSeven is one of the most widespread trojans
3128     stealthed     Masters Paradise and RingZero     Trojan horses
12345   stealthed     NetBus          NetBus is one of the most widespread trojans
12348   stealthed     BioNet           BioNet is one of the most widespread trojan
27374   stealthed     SubSeven     SubSeven is one of the most widespread trojans
31337   stealthed     Back Orifice  Back Orifice is one of the most widespread trojans
135        closed         RPC                Remote Procedure Call (RPC) is used in client/server applications based on MS Windows operating systems
 

Recommendation:
Install personal firewall software. PC Flank recommends Outpost Firewall Pro.
If you have already installed and are using a firewall, check if it is set to make all the ports of your computer stealthed (invisible). If it is, then get new firewall software and redo this test.

-------------------------------------------------------------------------------------
#Exploit Test#
Results of the test:
Exploits test

     Your system successfully defended itself from this attack!
 

=================================================
#Shield Up#

Your computer at IP:
xxx.xxx.xxx.xxx 
 
Is being carefully examined:

The port number of any location on the grid above may be determined by floating
your mouse over the square. Most web browsers will display a pop-up window to
identify the port. Otherwise, see the URL display at the bottom of your browser.

Total elapsed testing time: 68.953 seconds 

Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

===============================================
PS:
1. Port Status
-"Open" = terbuka ; "Closed" = tertutup, tapi pada suatu kondisi dpt dibuka (dihack) dari luar; "Stealthed" = tersembunyi, hacker tidak tahu/mendeteksi jika komputer kita ada dan biasanya akan mencari mangsa lain yang lebih empuk ("believe me!, masih banyak internet user tanpa firewall/firewall tdk terkonfigurasi dengan baik diluar sana .   
-Kondisi beberapa port "closed" dan selebihnya "stealthed" tidak perlu terlalu dikhawatirkan karena kadangkala site penguji bisa salah. Chek pada site lainnya untuk memastikan hal ini.
-Secara umum "open" berarti suatu port/protocol rentan thd serangan dari luar (amankan segera), terlebih jika lebih dari satu port yg terdeteksi "open". Kalau belum yakin test lagi di site lain.
-Jika firewall anda berada pada mode "stealth" tetapi port RPC dan Netbios (135, 137,138, dan 139) terdeteksi "closed", jangan keburu cemas. Ada beberapa ISP yang menutup akses ke port x2 tsb dari luar (langsung diblokir), khususnya untuk mencegah menyebarnya Worm.

2. Pastikan IP anda sama dengan yg tertera di site pengujian:

Ada beberapa koneksi/firewall yg langsung menunjukkan IP address anda. Jika belum tahu, dapat digunakan cara sbb:
Pada XP sorot start dan klik run (ketik cmd), atau jalankan Command Prompt (accesories) pada saat terkoneksi dengan internet. Kemudian pada prompt ketik ipconfig/all utk melihat IP address anda, catat kemudian close command prompt/dos prompt.

D:\Documents and Settings\user name>ipconfig/all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : Jakala2
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

PPP adapter Prepaid:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : yyy.yyy.yyy.yyy
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : yyy.yyy.yyy.yyy
        DNS Servers . . . . . . . . . . . : xxx.xxx.xxx.xxx
                                            xxx.xxx.xxx.xxx
        NetBIOS over Tcpip. . . . . . . . : Disabled

NB;
-xxx= data i won't give you (for security reason)
-yyy= your IP address
-prosedur ipconfig/all selain utk menentukan IP address juga untuk menemukan DNS Server Address yang bisa digunakan untuk membatasi aliran data (hanya memperbolehkan komunikasi ke port DNS jika diminta oleh server ISP).

3. Site Penguji tidak berhasil mendeteksi IP anda shg test tidak berhasil dilakukan, contoh message yg muncul:

"The test has found that the IP address used by your computer cannot be scanned. This commonly occurs because of a firewall program on your computer and/or you are connected to the Internet through a proxy-server or your ISP uses Network Address Translation (NAT) to share IP addresses."
 
Penjelasan: Site penguji tidak bisa menemukan IP sebenarnya karena anda mungkin anda menggunakan proxy server (dengan NAT). Coba lihat data-data ttg koneksi anda dengan perintah ipconfig/all seperti point 2. Jika memang ingin melakukan pengujian coba matikan setting penggunaan proxy server atau ganti koneksi internet anda sementara, karena pada saat pengujian site penguji perlu mengirim data/exploits langsung ke beberapa/banyak port PC kita utk melihat respon dari PC/firewall thd data/exploits tsb sekitar 1-2 menit. Biasanya hacker hanya mengincar/men-scan 1-3 port saja (butuh waktu beberapa detik saja), jika terdeteksi port x2 tsb open kemudian akan melakukan serangan (attack detection).

Penggunaan Proxy Server tidak memberikan jaminan keamanan thd hacking... karena seringkali hacker menggunakan metode tebaran acak... membidik IP address disekitar IP mereka atau dari server/koneksi yg bisa mereka perkirakan. Yang terpenting adalah bagaimana respon firewall ketika ada sinyal/data transaction berusaha masuk ke komputer kita.

Jakala_2: "Secure your unsecure connection before it's too late.."