Building network automation solutions

9 module online course

Start now!

Closed versus Filtered ports

Due to the way Cisco routers behave when dropping packets with an inbound access list, whenever you use access lists to protect the router from the outside attacks (or port scans), the protected ports (even though they're not active on the router) will appear filtered (some scanners might use the term stealth), which is almost an invitation to a determined hacker.

Sometimes (it depends on the application you're protecting) you can configure application-layer protection in Cisco IOS. For example, you can protect HTTP server with ip http access-class global configuration command or the Telnet server with the access-class in line configuration command (and BGP will not accept incoming TCP SYN packets unless you've configured a BGP neighbor). The access-class configuration causes the incoming request to be rejected within application (in control plane after the TCP stack), resulting in TCP RST packet being sent back. The port scanner thus reports the protected TCP port as closed.

We migrated our blog a few days ago, and the commenting functionality is not there yet. In the meantime please find our content on LinkedIn and comment there.

Sidebar