Stonewall – Missing my Netgear Firewall

How my Netgear firewall became a piece of stone was I didn’t listen to the F.B.I. Being a native New Englander, the Feds have a reputation, especially in the Boston office for aiding and abetting in keeping Whitey Bulger, the notorious mobster to stay loose in Boston for a number of years. Whitey was in the news for years and years, till he got captured in 2011, found guilty virtually on all counts in 2013 to passing away the day before Halloween of this year.

Not that I don’t trust the Feds, but if the agency couldn’t keep a mobster off the streets, how should I take their intel that there was malware being transmitted over the Interwebz and to just restart the firewall to clear out the bad bug? When you hear the F.B.I., it is about the whereabouts of a Most Wanted person, not that there is malware, logically wouldn’t that be the responsibility of say Homeland Security? I did not take matters seriously, and didn’t take their warning seriously. And, it goes that I knew this device was End of Support later to be End of Life because Netgear decided to pull the plug on development in 2017, nearly a year after I acquired it new. Not only that I also was starting to try out other firewalls. As I didn’t take the threat seriously, I was left to these alternative firewalls, with the hope that I would use it for another year, giving me time to migrate.

I had to do migration on the fly, sudden, cold and confused.

I didn’t realize my “enterprise” grade Netgear was on the hitlist, till after the fact. From my personal knowledge owning a FVS318G, ProSafe™ firewall, that if I made a change to the configuration, that the bug would live there forever.

And it did. On a very hot July day, I started to realize why I was unable to get into the firewall. I added two and two to realize after the fact, that my model was on a revised hit list. This wasn’t used as a router, but a firewall to split up two different LANs that needed to be routed at the WAN level so those two networks could access the Internet (the WAN.)

In essence, this post is more of a review of why I chose this model, and how other vendors cannot top.

  • Because its Netgear, I hear a lot about how Netgear devices (even ProSafes) to be insecure. It’s inexpensive, meaning if I wanted a super secure network, I would have to pay nearly several thousand dollars annually on hardware, software and ongoing licenses known as “perpetual licenses.”
  • Layer 3 and Gigabit firewall. For a “social media price” of under $100 via CDW in 2016, I mean who wouldn’t?
  • DNS proxy/filtering. Never had I had targeted ads till the Netgear started to break down. I had blocked many known domains and it worked just fine. Other solutions are more cumbersome of almost a black and white (deny vs. allow vs. any) while this setting was to clearly deny. The DNS proxy part enabled me, to have a LAN based Domain Name Server address so no was appearing on the device level when pulled from DHCP. I have the practice, of local DNS first, then to a local “proxy” that would serve the Internet based domain lookups.
  • VPN support, but was discontinued after Netgear pulled the plug, and still do not have a full fledged Business class Internet service
  • With any small firewall, the more services, the system would be bogged down, so I did redirect some services to other devices.
  • EASY to use. I consider ProSafes, to be more of a “prosumer” than a flat out “consumer” grade firewall.

The firewall also sported a DB-9 Serial port, which means you can get into the inter workings of the firewall for troubleshooting. From the looks of it, it runs on some form of a VxWorks operating system (a DOS-like system for small devices.)  For this vulernability to take something like VxW down, is rather interesting. Like I said, it’s easy to troubleshoot because you do not need to take apart, loose the warranty and solder pins to make a dohickey out of it.

But once I figured this out, I also got an ASA firewall from the guy from Montana. Originally the ASA was going to to be for lab purposes, but for more than 8 hours,  I was figuring out why I couldn’t out put out local DNS address (such as the address to the ASA) to only find out that Cisco IOS based devices do not have DNS proxies like listed above!

While pfSense looked promising, the thing was a royal pain to manage. The pfS setup was it would sit between my LAN and the Netgear (later Cisco) firewalls. the real protection was on the server level. But there would be situations where the firewall lost contact with the ASA leaving it without a “WAN” connection (i.e. the Internet.) While we have Comcast for ISP, the Internet connection from the modem to the pole has only gone down once. Everything else has been on the LAN level (i.e. my network.) When it “goes down” it means you can’t get out without protection from the modem, assuming if you plug right into the LAN port on the modem, that you’ll get the ISP’s IP address and a more open Internet than say a more restrictive, and secure.

Then, the ethos in open source, there was a “fork” called OPNSENSE, an offspring to pfSense, where support for different types of hardware was neglected, and other things. And this rather simplistic version of pfSense has worked well, it’s still a challenge because it’s not as easy to manage like a Netgear. This lead me back to an idea of using commercial software entirely based out of the US over foreign vendors, developers, etc., not just for cybersecurity, but for stability period. Open Source is too wild and out of control and “standardization” is far from reality.