Cisco 1841 Firewall/Security Settings

Wasn't sure whether to post htis here or in the Router section.
We have a Cisco 1841 Router and are trying to check the firewall/security settings.
I Ran the shields up scan at GRC and got the following.

Results from scan of ports: 0-1055

    4 Ports Open
 1049 Ports Closed
    3 Ports Stealth
 1056 Ports Tested

Ports found to be OPEN were: 23, 25, 80, 443

Ports found to be STEALTH were: 137, 138, 139

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - A PING REPLY (ICMP Echo) WAS RECEIVED.

“Ports found to be OPEN were: 23, 25, 80,443”, all these I expected to be open because we configured them to be for our various services.
So what I'm wondering is about the closed ports, they actually respond if probed and are possibly exploitable, correct?
Also, is there difference between Stealth and Blocked, the definitions I have seen seem to be the same in that a blocked or stealth port will not respond in any way to a probe, as if there is nothing there. Other tests have shown the ports GRC called stealth, are blocked, and the Cisco engineer I talked to at the TAC seemed to be puzzled by the term Stealth.
 I know every network is different, but what would be the "Correct" setup?  All ports stealth or blocked, except what must be open for services?
I have set points to max, would give more if I could ;)

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GRC uses the term "stealth" to describe a port that doesn't respond at all to connection attempts, nor does it respond with "feedback" such as sending an ICMP "administratively prohibited" message (type 3 code 9 or 10 ->  A "stealthed" port just means you have some type of firewall device between the outside & the end server, which is filtering connection attempts to certain or all ports & isn't sending any feedback back to the external port scanner.

>...about the closed ports, they actually respond if probed and are possibly exploitable, correct?
  If ports show up as simply 'closed' that probably means: A) the connection attempt reached an end system (web server, etc), the port responded with the equivalent of "no service present here", & there wasn't any service listening on that port, or B) these ports are being filtered by a router/firewall that is sending some type of response back to the scanner.  
  If traffic is getting straight to the end system (ie no firewall blocking it) & no service is listening on a port, then hopefully they shouldn't be exploitable, except perhaps to a denial of service attack if the end system is susceptible to a flood of connection attempts to these closed ports, etc.

>is there difference between Stealth and Blocked...
  'stealth' port as mentioned above doesn't respond at all - this is ideally what you want for *all* ports not being opened to the outside world.  A 'blocked' port usually means there was some type of response such as the ICMP "administratively prohibited" message sent back to the party running a port scan.  But as long as your router or firewall is successfully preventing traffic to these 'blocked' ports your end system (ie, server) should be ok.

>...but what would be the "Correct" setup?
  Best practices for filtering traffic from the outside world would include:
- firewall blocks everything that you don't specifically allow
- firewall doesn't send back any response to port scans on blocked ports (ie, all unused ports should show up as "stealthed")
- if your router is also acting as your only firewall between the outside world, use the more intelligent firewalling capabilities of CBAC instead of plain old ACLs (access lists) IF possible; your router needs to have the firewall feature set, found in the "Advanced Security" IOS image.

  Configuring CBAC - IOS 12.4:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SCCHISAuthor Commented:
 Thanks a lot, thats exactly what I needed !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.