NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
FVS318Gv2 fails PCI-DSS scans
We use these for gateway to gateway vpn connections between remote offices and the main office. No real issues there now, until they failed a Trustwave scan because of Netgear's built-in certificate on port 443. The Netgear cert only uses a public key length of 1024 with 64 bit blocks. We have also discovered the the Netgear equipment only uses SSL2, SSL3, and TLS1 all of which are obsolete.
I know I can disable remote access to the configuration interface and pass the PCI-DSS scan, but then I have to drive to the remote locations to read their log files and make any needed config updates.
On the VPN side we use 2048 bit certificates with no issues showing up.
At this point I'm looking at my options in the event I have to change hardware vendors, something I'd rather not do.
OK we passed today with this firmware and a written adendum to cover use of L2TP tunnel that Trustwave doesn't like even though it is secured. Had to literally turn off everything else in the way of remotely connecting to these to manage them.
My management solution is to setup VPN access at all locations and only manage them through the tunnel at the moment... seems to wok, but a failure will lead to about 2 hourss of downtime while I travel to a site with a replacement device. I do have a spare that I can configure to match in about 15 minutes now since I've done it so many times.
6 Replies
Hi TCD-Experea,
Welcome to the community! :)
What is the current firmware version of the FVS318Gv2?
Let me share this old forum link to you.
Regards,
DaneA
NETGEAR Community Team
Firmware is 4.3.4-2 on all 3 devices.
I have disabled remote admin at this point and have asked AP/AR to initiate a new scan.
Hi TCD-Experea,
Let us know how the new scan goes.
Also, you may want to try to downgrade the firmware to v4.3.3-8. As per release notes of firmware v4.3.3-8, one of the bug fixes mentioned about PCI Compliance Scans. You can download the firmware here. Be reminded that its recommended to perform a factory reset after downgrading the firmware then reconfigure it from scratch and check if same problem will occur.
Regards,
DaneA
NETGEAR Community Team
OK we passed today with this firmware and a written adendum to cover use of L2TP tunnel that Trustwave doesn't like even though it is secured. Had to literally turn off everything else in the way of remotely connecting to these to manage them.
My management solution is to setup VPN access at all locations and only manage them through the tunnel at the moment... seems to wok, but a failure will lead to about 2 hourss of downtime while I travel to a site with a replacement device. I do have a spare that I can configure to match in about 15 minutes now since I've done it so many times.I was going to suggest vpn tunnels and managing them that way. And one way to avoid the drive in case one hangs up for some reason is a cheap $99 rebooter from 3gstore that we've found to work great. We actually have a terrible 'business class' cable modem from charter on one of our connections that every so often gets a glitch in it that only blocks the ipsec tunnel from working. A reboot quickly fixes it, so we've programmed the rebooter to reboot that modem whenever it loses pings across the tunnel, and it's handled the problem since charter won't replace the modem since they think it's fine. It's worth a look at out of band tools like this if a long drive is going to cost.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
