Tech Blog

Preserve or Nuke? Strategies for updating older LANCOM routers to latest LCOS firmware

The Problem

During recent interactions with some LANCOM resellers we became aware of some LANCOM routers in the wild that were still running their originally deployed LCOS firmware. This was even though the hardware was capable of running the very latest LCOS firmware.

We remotely viewed some LANCOM 178x series routers that were actually running LCOS 8.82 dating from 2013. We consider a router running firmware this ancient to be a security threat and recommend that ALL deployed routers running such very old firmware should be upgraded as a matter of urgency to the latest LCOS release which is currently LCOS 10.40, if they are capable.

Reasons to Upgrade

There are obviously a number of very good reasons to upgrade from older LCOS to the latest but some of the reasons are list below…

  1. Latest feature set for FREE
  2. Newer SSL defaults, older standards such as SSLv3 are depreciated and newer standards are introduced such as TLS v1.3 and many other encryption algorithms DH codes etc are improved. Having latest SSL defaults substantially aids the passing of PCI testing.
  3. Newer SSH defaults use larger minimum SSH key lengths & newer algorithms that are mandatory to pass current PCI testing.
  4. Newer SNMP defaults such as SNMPv3 offer encrypted access and are therefore safer. Older SNMPv1 & v2 standards are NOT secure and if WAN access is allowed router information may be read out.
  5. Complex Passwords enabled by default.
  6. Updated IKEv1 proposals make for more secure VPNs.
  7. IKEv2 offers quicker VPN establishment and automatic HTTPS failover.
  8. IPv6 on LAN / WAN / WLAN / VPN
  9. LANCOM Management Cloud integration if needed
  10. More internet performance through routing improvements & better VDSL code.
  11. More Wi-Fi performance through better drivers and more features such as WPA3 etc.
  12. Enables operation of ESL ePaper radio via existing USB port
  13. Did we say the latest firmware is FREE?

All features from page 10 back to 4 of the LCOS 10.40 datasheet are features that have been added to LCOS devices for FREE since LCOS 8.82. This means that a 7 year old 1781va/vaw router gets almost all the latest software features of a brand new 1790x router.

Preserve Configuration or Nuke Configuration.

Once you decide to upgrade your devices to you need to choose whether to maintain the existing configuration or whether to upgrade, factory reset and start from scratch. Many LANCOM routers in the wild have only a basic configuration, many have only a single internet connection with no backup, many have only a small amount of defined VPN tunnels if any and many utilise only limited port forwarding configurations.

The two options

a. Maintain Configuration – If a deployed LANCOM has a complex configuration with VoIP integration, complex firewall rules or many VPNs you should upgrade* firmware whilst maintaining legacy settings.
b. Nuke Configuration – If a deployed LANCOM has only a simple configuration it is best to upgrade* firmware, factory default and configure from scratch.

*In both cases above make a manual backup in LANconfig using BOTH configuration file and configuration script before starting any upgrade process.

Scenario A – Maintain Configuration

It may take multiple steps to upgrade firmware from 8.82 all the way or 10.40. So we would recommend upgrading in intermediate steps as suggested below.

  1. Make sure host PC is running very latest release or release update version of LANconfig and LANmonitor.
  2. If on 8.8x upgrade to 8.84su10
  3. If on 8.84su10 upgrade to 9.24ru11
  4. If on 9.x go to 9.24ru11
  5. If on 9.24ru11 go to LATEST
  6. Log into router via CLI
  7. Run command “ssldefaults” and enter Y when asked to verify. This resets SSL settings to the latest LCOS defaults
  8. Navigate to SSH directory by typing cd Setup/Config/SSH/, verify you are in correct location then type “Default -r”. This resets SSH to the latest LCOS defaults.
  9. Navigate to SNMP directory by typing cd\ then cd Setup/SNMP, verify you are in correct location then type “Default -r”. This disables SNMP v1 & v2 and enables v3
  10. Navigate to root directory by typing cd\ and then run command “deletebootlog” to clear old bootlog entries
  11. Navigate to root directory by typing cd\ and then run command “do Status/TCP-IP/Syslog/Delete-Values” this clears the syslog
  12. Navigate to root directory by typing cd\ and then run command “do Other/Cold-Boot” to reboot.
  13. After reboot Click on device in LANconfig and using the backup config as a template recreate the Comments in Configuration -> Management -> General -> Comments as defaulting SNMP will have erased them.

Scenario B – Nuke Configuration

It may take multiple steps to upgrade from for example 8.82 all the way to 10.40. So we would recommend upgrading in intermediate steps as suggested below.

  1. Make sure host PC is running very latest release or release update version of LANconfig and LANmonitor.
  2. If on 8.8x upgrade to 8.84su10
  3. If on 8.84su10 upgrade to 9.24ru11
  4. If on 9.x go to 9.24ru11
  5. If on 9.24ru11 go to LATEST.
  6. Reset to factory defaults using CLI or reset button.
  7. Configure as new.
  8. Create new VPN Client profiles as required.
  9. Create new Drag & Drop VPN links BUT ONLY IF OTHER SIDE HAS ALSO BEEN NUKED.

How to stay updated automatically

LANCOM devices since LCOS 10.20 now feature  automatic software update feature at Configuration-> Management->Software Update

We would suggest configuring the Update Mode as “Check & Update” and “Update Policy” to “Current Version”. This means that if you are on 10.40 the router will receive 10.40ru1, 10.40ru2, 10.40su3 etc but NOT 10.50.

LANCOM devices being managed by the LANCOM Management Cloud can also use functionality within the LMC to keep devices on the latest firmware.

For very old router that are no longer receiving new release versions of LCOS we recommend that they should be upgraded to the last available Release Update (RU) or Security Update (SU).

Since writing this blog post LANCOM have released a Knowledge Base article offering another alternative method of updating a LANCOM LCOS device from very old to recente firmware.

LCOS LX 5.10 Enhances feature set of LW-500 & LX-640x APs

LCOS LX is a newly developed operating system for selected LANCOM access points. The management
and monitoring of the functions is carried out extremely convenient and flexible either via a new intuitive web interface or automatically via the LANCOM Management Cloud.

Find out more about LCOS LX here.

LCOS LX improvements 5.10.0004 Rel

New features
  • Support for WPA3
  • Support for Wi-Fi 6
  • Automatic software updates via auto-updater
  • Band Steering (for IEEE 802.11v-capable and legacy clients)
  • Fast Roaming based on IEEE 802.11r
  • IEEE 802.1X pre-authentication
  • LEPS-U (LANCOM Enhanced Passphrase Security – User)
  • Support for LLDP
  • A Support for SNMPv3
  • A Support for LANmonitor
  • A IEEE 802.1X supplicant for the Ethernet interface

Downloads

Datasheet LCOS LX5.10

Release Notes LCOS LX 5.10

Comparison LCOS & LCOS LX

Reference Manual LCOS LX 5.10

ECSE – Design 4-Day Wi-Fi Design Training Course

Date – Tuesday 24rd of September to  Friday the 27th of September inclusive.

Time – 0900hrs to 1700hrs each day.

Location Leixlip Manor Hotel – https://leixlipmanorhotel.ie/

Cost €2,995 per person -> €500 discount if booked before 14th September.

Trainer – Raymond Hendrix  https://www.linkedin.com/in/raymondhendrix/

This 4-day course consists of classroom lectures and labs taught by Wi-Fi experts. Learn how to design, optimise, and troubleshoot better Wi-Fi using Ekahau products.

  • Designed for Wi-Fi systems engineers, IT administrators, and other wireless professionals.
  • Dive into all aspects of Wi-Fi life-cycle management including RF fundamentals, predictive designs, spectrum analysis, and much more
  • Receive a highly regarded Ekahau Certified Survey Engineer (ECSE) certification after passing the certification exam
  • Maximum of 12 students per class

Audience

This course and certification are designed for Wi-Fi systems engineers, IT administrators, and others working with Wi-Fi, who require an in-depth knowledge on how to deploy and maintain Wi-Fi networks using Ekahau Wi-Fi tools.

Content

Dive into all aspects of Wi-Fi life-cycle management including:

  • The life cycle of a Wi-Fi network
  • How to design and deploy robust Wi-Fi networks
  • Product installation & activation, basics
  • Pre- and post deployment Wi-Fi site surveys
  • Troubleshooting Wi-Fi issues
  • Spectrum Analysis
  • Reporting
  • ECSE Certification Exam

Prerequisites

Students are expected to have the following skills & knowledge before attending this course:

  • Basics of networking
  • Strong general computer skills
  • CWNA recommended (Not required)
  • Windows laptop with Admin rights for installing software

Course Objectives

At the end of this course the student will hold expert knowledge in designing, deploying and troubleshooting Wi-Fi networks, using Ekahau Wi-Fi tools. The knowledge applies to all Wi-Fi network brands. A certification exam will be held at the end of the course.

Download Flyer

Download Agenda

Call us now on +353 (1) 4011064 or email training@ethos.ie to book your place.

New from LANCOM Systems – R&S Unified Firewalls

LANCOM R&S®Unified Firewalls complement your network by the relevant feature of cyber-security. These easy-to-operate all-round solutions are tailored to the specific security needs of small and medium-sized businesses. Thanks to state-of-the-art security technologies and unified threat management (UTM), these next-generation firewalls provide reliable cyber-security.

A prominent feature is the innovative graphical user interface granting a concise overview of all of the secured areas in the company’s network. Formerly complex and time-consuming configurations are greatly simplified since security policies can be systematically designed and enforced.

ECSE 4-Day Wi-Fi Design & Troubleshooting Training Course

Become a master at deploying & troubleshooting Wi-Fi

Date – Monday 4th of March to Thursday 7th of March inclusive

Location The Cliff @ Lyons www.cliffatlyons.ie

Cost €2,295 per person

Trainer Eddie Forero https://www.linkedin.com/in/heyeddie/

This 4-day course consists of classroom lectures and labs taught by Wi-Fi experts. Learn how to design, optimise, and troubleshoot better Wi-Fi using Ekahau products.

  • Designed for Wi-Fi systems engineers, IT administrators, and other wireless professionals.
  • Dive into all aspects of Wi-Fi life-cycle management including RF fundamentals, predictive designs, spectrum analysis, and much more
  • Receive a highly regarded Ekahau Certified Survey Engineer (ECSE) certification after passing the certification exam
  • Maximum of 12 students per class

Audience

This course and certification are designed for Wi-Fi systems engineers, IT administrators, and others working with Wi-Fi, who require an in-depth knowledge on how to deploy and maintain Wi-Fi networks using Ekahau Wi-Fi tools.

Content

Wireless LAN and RF fundamentals

  • The life cycle of a Wi-Fi network
  • How to design and deploy robust Wi-Fi networks
  • Product installation & activation, basics
  • Pre- and post deployment Wi-Fi site surveys
  • Troubleshooting Wi-Fi issues
  • Spectrum Analysis
  • Reporting
  • ECSE Certification Exam

Prerequisites

Students are expected to have the following skills & knowledge before attending this course:

  • Basics of networking
  • Strong general computer skills
  • CWNA recommended (Not required)
  • Windows laptop with Admin rights for installing software

Course Objectives

At the end of this course the student will hold expert knowledge in designing, deploying and troubleshooting Wi-Fi networks, using Ekahau Wi-Fi tools. The knowledge applies to all Wi-Fi network brands. A certification exam will be held at the end of the course.

Download ECSE training datasheet

Call us now on +353 (1) 4011064 or email training@ethos.ie to book your place.

New LCOS command line resets SSL/TLS to more secure defaults

LANCOM Longevity 

Many resellers & end users already know that LANCOM devices have a very long lifespan. Models that are still in production may have originally shipped 5 years ago on much older LCOS versions. For example the stalwart 1781va router originally shipped in early 2013 with LCOS 8.78 while the recently discontinued WLC-4025+ originally shipped in 2009 with LCOS 7.70.

Both the device examples above are able to run the very latest LCOS release which is 10.20ru1. This revision of LCOS is almost a decade further developed in in terms of features, performance & security when compared for example to LCOS 7.70. This is the investment protection that LANCOM users know & love. 

New SSL / TLS Defaults

For over 20 years Secure Sockets Layer (SSL) has been in the market as one of the most widely-used encryption protocols ever released, and remains in widespread use today despite various security vulnerabilities exposed in the protocol.

SSL v3.0 was superseded in 1999 by TLS v1.0, which has since been superseded by TLS v1.1 and v1.2. Now SSL & early TLS no longer meet minimum security standards due to security vulnerabilities in the protocol for which there are no fixes. It is critically important that entities upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.

SSL v3.0 is already disabled by default in LANCOM routers beginning from LCOS 8.84RU4 and LCOS 9.00RU3 or later, however this is only true for devices that are factory defaulted with this LCOS version. 

If you take any LANCOM devices, upgrade them LCOS 10.20ru1 and then factory default them, you get the very latest and most secure SSL/TLS defaults not to mention the latest defaults for all the newer features added over the years.

But There Is A Catch

Factory defaulting and setting up from scratch is easy if you have a device with a simple configuration, but on many devices you may have a long lived & complex configuration and you may have upgraded the LCOS version regularly over time until you arrived at the latest LCOS 10.20ru1 and herein lies a problem. 

In the case of a router that has had the same configuration upgraded through the LCOS versions from 7.x to 8.x to 9.x to 10.x and finally to 10.20ru1 many of the default SSL & TLS settings will still be the original defaults from the original LCOS version the device was configured with and these older defaults may be a security threat.

LANCOM Make it Easy

In a previous Tech Blog post regarding PCI compliance (see here) we offered a script that tightened up many of the SSL/TLS settings to more modern, secure defaults. With the release of LCOS 10.20ru1 LANCOM have introduced a simple command line option that tightens SSL/TLS defaults to current LANCOM default settings.

At the CLI root run simply the following command.

ssldefaults -y

This command resets the SSL / TLS settings in all sub-menus of the current configuration to the default values after a security prompt. In LCOS, each module comes with its own sub-menu for SSL / TLS settings. This provides a way to reset all settings in these various sub-menus to the current secure default settings. The parameter -y ensures that the security prompt is automatically answered so that the command can be used non-interactively in scripts

 

LCOS 10.20 User Manual Addendum now available to download.

The User Manual Addendum for the new features in LCOS 10.20 RC2 is now available to download from the LANCOM FTP site.

ftp://ftp.lancom.de/Documentation/Reference-Manual/MA_LCOS-1020-Addendum_EN.pdf

 

 

LCOS 10.20 Release Candidate 2 Available to download

The power package for high-performance networks

We would like to invite you to test the newest developments of the LANCOM Operating System (LCOS): The LCOS 10.20 Release Candidate 2 now ready for a further practical test!

Apart from a variety of new features and improvement, with LCOS 10.20 RC2 you extend your LANCOM access points, WLAN controllers, routers, and gateways with full-fledged highlight functionalities for maximum quality enhancements as well as excellent network control.

Feature Highlights

NEW: WPA3 – State-of-the-art Wi-Fi security

The latest generation of Wi-Fi encryption – WPA3 (Wi-Fi Protected Access) – now offers you more security for your WLAN infrastructure. As the successor of WPA2, WPA3 offers important extensions and security features for small (“WPA3-Personal”) and large networks (“WPA3-Enterprise”). With LCOS 10.20, all LANCOM access points and WLAN routers support the new Wi-Fi security standard. Learn more in our Whitepaper

NEW: Auto Updater – always up-to-date

The Auto Updater keeps your installations up-to-date automatically: If desired, LANCOM devices can search for new software updates, and download and install them without any user interaction. You can choose whether to install only security updates, release updates, or all updates automatically. If automatic updates are not desired, the feature can still be used to check for new updates, which can then be installed with a single click.

Client Management – for best-ever Wi-Fi

Client Management steers Wi-Fi clients to the best available access point and frequency band. This feature improves the quality of wireless networks of all sizes—whether they operate stand-alone or orchestrated by the LANCOM Management Cloud. The popular Band Steering and Client Steering, which so far were separate features, have now been combined and even operate without a WLAN controller.

LEPS-U & LEPS-MAC

Keep control of who is in your Wi-Fi. With LEPS-U (LANCOM Enhanced Passphrase Security – User), individual clients or entire groups each receive a unique Wi-Fi password for an SSID. Using LEPS-MAC, you additionally authenticate the clients by their MAC address—ideal for secure corporate networks.

 

WAN Policy-Based NAT

WAN Policy-Based NAT allows an easy assignment of static WAN IPv4 addresses to desired services. Due to a NAT action in the firewall rules internal addresses are masked behind a WAN address from the Internet access provider. Ideal for scenarios e.g. for the operation of mail servers and web servers with different WAN addresses.

 

To give the LCOS 10.20RC2 pre-release a tryout please navigate to the LANCOM download area

https://www.lancom-systems.com/downloads/

WPA3 Coming Soon to compatible LANCOM devices in Free LCOS 10.20 Update

Better security for existing installations

LANCOM announces firmware update with new WLAN security standard WPA3

The Wi-Fi Alliance released the specification for the new wireless security standard WPA3 recently. LANCOM Systems, the leading German manufacturer of network infrastructure solutions for business and administration, is integrating WPA3 into its next operating system release (LCOS 10.20). The release of LCOS 10.20 is scheduled for this summer. The firmware can be loaded into all current WLAN routers and access points.

The WPA3 development results from the KRACK vulnerability in WPA2 and introduces new security features for small (“WPA3-Personal”) and large networks (“WPA3-Enterprise”). Hotspot users benefit from Enhanced Open, which for the first time enables individual encryption in open WLAN networks.

Update for all current WLAN products available

LANCOM is making WPA3 available with the next update of its LCOS operating system. With the help of LCOS 10.20, existing WLAN networks are also brought up to date with regard to safety. LCOS 10.20 will soon be available for free download from the LANCOM website.

www.lancom-systems.de/produkte/firmware/lcos-1020-rc1/

Basically, all LANCOM products are regularly provided with major updates throughout their lifetime. Even after the “end of sale” of a product, LANCOM will provide software updates with new features, detailed improvements and bug-fixes for download for another two years. Security updates are made available up to five years after the end of sale of a product.

LANCOM Advanced VPN Client 4 for Windows Released

Advanced VPN Client improvements 4.10 Rel Build 39753

New features
  • Biometric authentication
    (e.g. fingerprint- or face recognition) before VPN connection establishment. For protection against a VPN connection establishment by unauthorized third parties a biometric authentication has been added to the Advanced VPN Client. Immediately after pressing the “Connect” button in the client GUI there is a prompt for user authentication. The VPN connection is only established after a positive authentication. The Windows Hello functionality is required for biometric authentication, which is available as from Windows 8.1 or later.
  • Modernized client GUI
    The client GUI and the tray popup window which is started from the taskbar have been adopted to the current Windows 10 design.
  • Complete 64 bit implementation of the Advanced VPN Client
    As from this version, all components of the Advanced VPN Client are included in 64-bit versions.
  • New GUI for the credential provider, including the Hotspot authentication functionality.
    For establishing the VPN tunnel prior to the Windows user authentication, it is now possible to do a Hotspot authentication on a re-designed GUI.
Bug-fixes / improvements
  • Configuration of the VPN tunnel endpoint.
    Multiple VPN tunnel endpoints can now be configured using their domain names.
  • Optimization of the DPD functionality
  • FIPS-Inside
    When installing from scratch or changing an existing configuration the FIPS mode can be enabled or disabled from within the installation routine.
  • Display of IPv6 connection information
    IPv6 addresses are now displayed on the connection information page, too.
  • Enhancements within the Client Info Center
    A new section with driver information has been added to the Client Info Center. For Windows 10 operating systems, driver version- and build number are now additionally displayed.
  • Improvements of the Hotspot functionality
    The compatibility to Hotspot authentication pages has been extended.

Download the latest version of the LANCOM Advanced VPN Client for Windows here.

12