• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1978
  • Last Modified:

Cisco 1841 Firewall/Security Settings

Wasn't sure whether to post htis here or in the Router section.
We have a Cisco 1841 Router and are trying to check the firewall/security settings.
I Ran the shields up scan at GRC and got the following.

Results from scan of ports: 0-1055

    4 Ports Open
 1049 Ports Closed
    3 Ports Stealth
---------------------
 1056 Ports Tested

Ports found to be OPEN were: 23, 25, 80, 443

Ports found to be STEALTH were: 137, 138, 139

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - A PING REPLY (ICMP Echo) WAS RECEIVED.

“Ports found to be OPEN were: 23, 25, 80,443”, all these I expected to be open because we configured them to be for our various services.
So what I'm wondering is about the closed ports, they actually respond if probed and are possibly exploitable, correct?
 
Also, is there difference between Stealth and Blocked, the definitions I have seen seem to be the same in that a blocked or stealth port will not respond in any way to a probe, as if there is nothing there. Other tests have shown the ports GRC called stealth, are blocked, and the Cisco engineer I talked to at the TAC seemed to be puzzled by the term Stealth.
 I know every network is different, but what would be the "Correct" setup?  All ports stealth or blocked, except what must be open for services?
I have set points to max, would give more if I could ;)

Thanks
0
SCCHIS
Asked:
SCCHIS
1 Solution
 
calvinetterCommented:
GRC uses the term "stealth" to describe a port that doesn't respond at all to connection attempts, nor does it respond with "feedback" such as sending an ICMP "administratively prohibited" message (type 3 code 9 or 10 -> http://www.iana.org/assignments/icmp-parameters).  A "stealthed" port just means you have some type of firewall device between the outside & the end server, which is filtering connection attempts to certain or all ports & isn't sending any feedback back to the external port scanner.

>...about the closed ports, they actually respond if probed and are possibly exploitable, correct?
  If ports show up as simply 'closed' that probably means: A) the connection attempt reached an end system (web server, etc), the port responded with the equivalent of "no service present here", & there wasn't any service listening on that port, or B) these ports are being filtered by a router/firewall that is sending some type of response back to the scanner.  
  If traffic is getting straight to the end system (ie no firewall blocking it) & no service is listening on a port, then hopefully they shouldn't be exploitable, except perhaps to a denial of service attack if the end system is susceptible to a flood of connection attempts to these closed ports, etc.

>is there difference between Stealth and Blocked...
  'stealth' port as mentioned above doesn't respond at all - this is ideally what you want for *all* ports not being opened to the outside world.  A 'blocked' port usually means there was some type of response such as the ICMP "administratively prohibited" message sent back to the party running a port scan.  But as long as your router or firewall is successfully preventing traffic to these 'blocked' ports your end system (ie, server) should be ok.

>...but what would be the "Correct" setup?
  Best practices for filtering traffic from the outside world would include:
- firewall blocks everything that you don't specifically allow
- firewall doesn't send back any response to port scans on blocked ports (ie, all unused ports should show up as "stealthed")
- if your router is also acting as your only firewall between the outside world, use the more intelligent firewalling capabilities of CBAC instead of plain old ACLs (access lists) IF possible; your router needs to have the firewall feature set, found in the "Advanced Security" IOS image.

  Configuring CBAC - IOS 12.4:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804a41c5.html

cheers
0
 
SCCHISAuthor Commented:
 Thanks a lot, thats exactly what I needed !
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now