Cisco 1841 Firewall/Security Settings

Posted on 2006-04-24
Last Modified: 2013-11-16
Wasn't sure whether to post htis here or in the Router section.
We have a Cisco 1841 Router and are trying to check the firewall/security settings.
I Ran the shields up scan at GRC and got the following.

Results from scan of ports: 0-1055

    4 Ports Open
 1049 Ports Closed
    3 Ports Stealth
 1056 Ports Tested

Ports found to be OPEN were: 23, 25, 80, 443

Ports found to be STEALTH were: 137, 138, 139

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - A PING REPLY (ICMP Echo) WAS RECEIVED.

“Ports found to be OPEN were: 23, 25, 80,443”, all these I expected to be open because we configured them to be for our various services.
So what I'm wondering is about the closed ports, they actually respond if probed and are possibly exploitable, correct?
Also, is there difference between Stealth and Blocked, the definitions I have seen seem to be the same in that a blocked or stealth port will not respond in any way to a probe, as if there is nothing there. Other tests have shown the ports GRC called stealth, are blocked, and the Cisco engineer I talked to at the TAC seemed to be puzzled by the term Stealth.
 I know every network is different, but what would be the "Correct" setup?  All ports stealth or blocked, except what must be open for services?
I have set points to max, would give more if I could ;)

Question by:SCCHIS
    LVL 20

    Accepted Solution

    GRC uses the term "stealth" to describe a port that doesn't respond at all to connection attempts, nor does it respond with "feedback" such as sending an ICMP "administratively prohibited" message (type 3 code 9 or 10 ->  A "stealthed" port just means you have some type of firewall device between the outside & the end server, which is filtering connection attempts to certain or all ports & isn't sending any feedback back to the external port scanner.

    >...about the closed ports, they actually respond if probed and are possibly exploitable, correct?
      If ports show up as simply 'closed' that probably means: A) the connection attempt reached an end system (web server, etc), the port responded with the equivalent of "no service present here", & there wasn't any service listening on that port, or B) these ports are being filtered by a router/firewall that is sending some type of response back to the scanner.  
      If traffic is getting straight to the end system (ie no firewall blocking it) & no service is listening on a port, then hopefully they shouldn't be exploitable, except perhaps to a denial of service attack if the end system is susceptible to a flood of connection attempts to these closed ports, etc.

    >is there difference between Stealth and Blocked...
      'stealth' port as mentioned above doesn't respond at all - this is ideally what you want for *all* ports not being opened to the outside world.  A 'blocked' port usually means there was some type of response such as the ICMP "administratively prohibited" message sent back to the party running a port scan.  But as long as your router or firewall is successfully preventing traffic to these 'blocked' ports your end system (ie, server) should be ok.

    >...but what would be the "Correct" setup?
      Best practices for filtering traffic from the outside world would include:
    - firewall blocks everything that you don't specifically allow
    - firewall doesn't send back any response to port scans on blocked ports (ie, all unused ports should show up as "stealthed")
    - if your router is also acting as your only firewall between the outside world, use the more intelligent firewalling capabilities of CBAC instead of plain old ACLs (access lists) IF possible; your router needs to have the firewall feature set, found in the "Advanced Security" IOS image.

      Configuring CBAC - IOS 12.4:


    Author Comment

     Thanks a lot, thats exactly what I needed !

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    How to Block torrent and facebook in PF sense 4 301
    Sonicwall 7 70
    Windows Firewall Dropping Allowed Packets 7 97
    DDOS against DYN 9 29
    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now