The Problem
During recent interactions with some LANCOM resellers we became aware of some LANCOM routers in the wild that were still running their originally deployed LCOS firmware. This was even though the hardware was capable of running the very latest LCOS firmware.
We remotely viewed some LANCOM 178x series routers that were actually running LCOS 8.82 dating from 2013. We consider a router running firmware this ancient to be a security threat and recommend that ALL deployed routers running such very old firmware should be upgraded as a matter of urgency to the latest LCOS release which is currently LCOS 10.50ru7 (as of 11/04/22), if they are capable.
Reasons to Upgrade
There are obviously a number of very good reasons to upgrade from older LCOS to the latest but some of the reasons are list below…
- Latest feature set for FREE
- Newer SSL defaults, older standards such as SSLv3 are depreciated and newer standards are introduced such as TLS v1.3 and many other encryption algorithms DH codes etc are improved. Having latest SSL defaults substantially aids the passing of PCI testing.
- Newer SSH defaults use larger minimum SSH key lengths & newer algorithms that are mandatory to pass current PCI testing.
- Newer SNMP defaults such as SNMPv3 offer encrypted access and are therefore safer. Older SNMPv1 & v2 standards are NOT secure and if WAN access is allowed router information may be read out.
- Complex Passwords enabled by default.
- Updated IKEv1 proposals make for more secure VPNs.
- IKEv2 offers quicker VPN establishment and automatic HTTPS failover.
- IPv6 on LAN / WAN / WLAN / VPN
- LANCOM Management Cloud integration if needed
- More internet performance through routing improvements & better VDSL code.
- More Wi-Fi performance through better drivers and more features such as WPA3 etc.
- Enables operation of ESL ePaper radio via existing USB port
- Did we say the latest firmware is FREE?
All features from page 10 back to page 4 of the LCOS 10.50 datasheet are features that have been added to LCOS devices for FREE since LCOS 8.82. This means that a 7 year old 1781va/vaw router gets almost all the latest software features of a brand new 1790x router.
Preserve Configuration or Nuke Configuration.
Once you decide to upgrade your devices to you need to choose whether to maintain the existing configuration or whether to upgrade, factory reset and start from scratch. Many LANCOM routers in the wild have only a basic configuration, many have only a single internet connection with no backup, many have only a small amount of defined VPN tunnels if any and many utilise only limited port forwarding configurations.
The two options
a. Maintain Configuration – If a deployed LANCOM has a complex configuration with VoIP integration, complex firewall rules or many VPNs you should upgrade* firmware whilst maintaining legacy settings.
b. Nuke Configuration – If a deployed LANCOM has only a simple configuration it is best to upgrade* firmware, factory default and configure from scratch.
*In both cases above make a manual backup in LANconfig using BOTH configuration file and configuration script before starting any upgrade process.
Scenario A – Maintain Configuration
It may take multiple steps to upgrade firmware from 8.82 all the way or 10.50. So we would recommend upgrading in intermediate steps as suggested below.
- Make sure host PC is running very latest release or release update version of LANconfig and LANmonitor.
- If on 8.8x upgrade to 8.84su10
- If on 8.84su10 upgrade to 9.24ru11
- If on 9.x go to 9.24ru11
- If on 9.24ru11 go to LATEST
- Log into router via CLI
- Run command “ssldefaults” and enter Y when asked to verify. This resets SSL settings to the latest LCOS defaults
- Navigate to SSH directory by typing cd Setup/Config/SSH/, verify you are in correct location then type “Default -r”. This resets SSH to the latest LCOS defaults.
- Navigate to SNMP directory by typing cd\ then cd Setup/SNMP, verify you are in correct location then type “Default -r”. This disables SNMP v1 & v2 and enables v3
- Navigate to root directory by typing cd\ and then run command “deletebootlog” to clear old bootlog entries
- Navigate to root directory by typing cd\ and then run command “do Status/TCP-IP/Syslog/Delete-Values” this clears the syslog
- Navigate to root directory by typing cd\ and then run command “do Other/Cold-Boot” to reboot.
- After reboot Click on device in LANconfig and using the backup config as a template recreate the Comments in Configuration -> Management -> General -> Comments as defaulting SNMP will have erased them.
Scenario B – Nuke Configuration
It may take multiple steps to upgrade from for example 8.82 all the way to 10.50. So we would recommend upgrading in intermediate steps as suggested below.
- Make sure host PC is running very latest release or release update version of LANconfig and LANmonitor.
- If on 8.8x upgrade to 8.84su10
- If on 8.84su10 upgrade to 9.24ru11
- If on 9.x go to 9.24ru11
- If on 9.24ru11 go to LATEST.
- Reset to factory defaults using CLI or reset button.
- Configure as new.
- Create new VPN Client profiles as required.
- Create new Drag & Drop VPN links BUT ONLY IF OTHER SIDE HAS ALSO BEEN NUKED.
How to stay updated automatically
LANCOM devices since LCOS 10.20 now feature automatic software update feature at Configuration-> Management->Software Update
We would suggest configuring the Update Mode as “Check & Update” and “Update Policy” to “Current Version”. This means that if you are on 10.40 the router will receive 10.40ru1, 10.40ru2, 10.40su3 etc but NOT 10.50.
LANCOM devices being managed by the LANCOM Management Cloud can also use functionality within the LMC to keep devices on the latest firmware.
For very old router that are no longer receiving new release versions of LCOS we recommend that they should be upgraded to the last available Release Update (RU) or Security Update (SU).
Since writing this blog post LANCOM have released a Knowledge Base article offering another alternative method of updating a LANCOM LCOS device from very old to recente firmware.
