New LCOS command line resets SSL/TLS to more secure defaults

New LCOS command line resets SSL/TLS to more secure defaults

LANCOM Longevity 

Many resellers & end users already know that LANCOM devices have a very long lifespan. Models that are still in production may have originally shipped 5 years ago on much older LCOS versions. For example the stalwart 1781va router originally shipped in early 2013 with LCOS 8.78 while the recently discontinued WLC-4025+ originally shipped in 2009 with LCOS 7.70.

Both the device examples above are able to run the very latest LCOS release which is 10.20ru1. This revision of LCOS is almost a decade further developed in in terms of features, performance & security when compared for example to LCOS 7.70. This is the investment protection that LANCOM users know & love. 

New SSL / TLS Defaults

For over 20 years Secure Sockets Layer (SSL) has been in the market as one of the most widely-used encryption protocols ever released, and remains in widespread use today despite various security vulnerabilities exposed in the protocol.

SSL v3.0 was superseded in 1999 by TLS v1.0, which has since been superseded by TLS v1.1 and v1.2. Now SSL & early TLS no longer meet minimum security standards due to security vulnerabilities in the protocol for which there are no fixes. It is critically important that entities upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.

SSL v3.0 is already disabled by default in LANCOM routers beginning from LCOS 8.84RU4 and LCOS 9.00RU3 or later, however this is only true for devices that are factory defaulted with this LCOS version. 

If you take any LANCOM devices, upgrade them LCOS 10.20ru1 and then factory default them, you get the very latest and most secure SSL/TLS defaults not to mention the latest defaults for all the newer features added over the years.

But There Is A Catch

Factory defaulting and setting up from scratch is easy if you have a device with a simple configuration, but on many devices you may have a long lived & complex configuration and you may have upgraded the LCOS version regularly over time until you arrived at the latest LCOS 10.20ru1 and herein lies a problem. 

In the case of a router that has had the same configuration upgraded through the LCOS versions from 7.x to 8.x to 9.x to 10.x and finally to 10.20ru1 many of the default SSL & TLS settings will still be the original defaults from the original LCOS version the device was configured with and these older defaults may be a security threat.

LANCOM Make it Easy

In a previous Tech Blog post regarding PCI compliance (see here) we offered a script that tightened up many of the SSL/TLS settings to more modern, secure defaults. With the release of LCOS 10.20ru1 LANCOM have introduced a simple command line option that tightens SSL/TLS defaults to current LANCOM default settings.

At the CLI root run simply the following command.

ssldefaults -y

This command resets the SSL / TLS settings in all sub-menus of the current configuration to the default values after a security prompt. In LCOS, each module comes with its own sub-menu for SSL / TLS settings. This provides a way to reset all settings in these various sub-menus to the current secure default settings. The parameter -y ensures that the security prompt is automatically answered so that the command can be used non-interactively in scripts


About the author

Gavin Tobin administrator

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.