NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

thisiskav's avatar
thisiskav
Aspirant
Sep 26, 2025

Protection Engine and Stealth ports

Hello,   Recently, I purchased a Nighthawk RS100 Router. After configuring it, I tested my setup using Shields Up .  All my ports reported as Stealth and the router log was clean of anything seriou...
rs100
CrimpOn's avatar
CrimpOn
Guru - Experienced User
Sep 26, 2025

My sense is that these are incompatible goals:

  • Not responding to connection requests (stealth) is a method to prevent attacks.  However,
  • Netgear's Protection Engine cannot analyze internet activities unless it acknowledges connection requests.

Your choice as to which offers a better environment.

 

Personally, stealth is the "way to go".  i.e. "nothing to see here.  go look somewhere else."

  • StephenB's avatar
    StephenB
    Guru - Experienced User
    Sep 26, 2025
    CrimpOn wrote:


    Netgear's Protection Engine cannot analyze internet activities unless it acknowledges connection requests.

    Personally, stealth is the "way to go".  i.e. "nothing to see here.  go look somewhere else."

     

    I'm not convinced your premise is correct.  

     

    Assuming it is, I believe that a scan can still distinguish a stealth ipv4 address from an unused ipv4 address.  The ISP router should return a destination host unreachable response to a ping if the address isn't used, which is different from a response timeout.  Additionally, many ISPs will also create a DNS entry for your router, which can be found with reverse DNS. So going stealth doesn't guarantee that your system can't be found (and is perhaps overrated).

     

    If any ports are forwarded (or opened via upnp), it'd be better to keep the protection engine on. So maybe Netgear could engage the PE only on open ports by default.

     

    If something is in the DMZ, then I think the router needs to assume all ports are open, and keep the PE on for all ports.