ECSE 4-Day Wi-Fi Design & Troubleshooting Training Course
Become a master at deploying & troubleshooting Wi-Fi
Date – Monday 4th of March to Thursday 7th of March inclusive
Location – The Cliff @ Lyons www.cliffatlyons.ie
Cost – €2,295 per person
Trainer – Eddie Forero https://www.linkedin.com/in/heyeddie/
This 4-day course consists of classroom lectures and labs taught by Wi-Fi experts. Learn how to design, optimise, and troubleshoot better Wi-Fi using Ekahau products.
- Designed for Wi-Fi systems engineers, IT administrators, and other wireless professionals.
- Dive into all aspects of Wi-Fi life-cycle management including RF fundamentals, predictive designs, spectrum analysis, and much more
- Receive a highly regarded Ekahau Certified Survey Engineer (ECSE) certification after passing the certification exam
- Maximum of 12 students per class
Audience
This course and certification are designed for Wi-Fi systems engineers, IT administrators, and others working with Wi-Fi, who require an in-depth knowledge on how to deploy and maintain Wi-Fi networks using Ekahau Wi-Fi tools.
Content
Wireless LAN and RF fundamentals
- The life cycle of a Wi-Fi network
- How to design and deploy robust Wi-Fi networks
- Product installation & activation, basics
- Pre- and post deployment Wi-Fi site surveys
- Troubleshooting Wi-Fi issues
- Spectrum Analysis
- Reporting
- ECSE Certification Exam
Prerequisites
Students are expected to have the following skills & knowledge before attending this course:
- Basics of networking
- Strong general computer skills
- CWNA recommended (Not required)
- Windows laptop with Admin rights for installing software
Course Objectives
At the end of this course the student will hold expert knowledge in designing, deploying and troubleshooting Wi-Fi networks, using Ekahau Wi-Fi tools. The knowledge applies to all Wi-Fi network brands. A certification exam will be held at the end of the course.
Download ECSE training datasheet
Call us now on +353 (1) 4011064 or email training@ethos.ie to book your place.
New LCOS command line resets SSL/TLS to more secure defaults
LANCOM Longevity
Many resellers & end users already know that LANCOM devices have a very long lifespan. Models that are still in production may have originally shipped 5 years ago on much older LCOS versions. For example the stalwart 1781va router originally shipped in early 2013 with LCOS 8.78 while the recently discontinued WLC-4025+ originally shipped in 2009 with LCOS 7.70.
Both the device examples above are able to run the very latest LCOS release which is 10.20ru1. This revision of LCOS is almost a decade further developed in in terms of features, performance & security when compared for example to LCOS 7.70. This is the investment protection that LANCOM users know & love.
New SSL / TLS Defaults
For over 20 years Secure Sockets Layer (SSL) has been in the market as one of the most widely-used encryption protocols ever released, and remains in widespread use today despite various security vulnerabilities exposed in the protocol.
SSL v3.0 was superseded in 1999 by TLS v1.0, which has since been superseded by TLS v1.1 and v1.2. Now SSL & early TLS no longer meet minimum security standards due to security vulnerabilities in the protocol for which there are no fixes. It is critically important that entities upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.
SSL v3.0 is already disabled by default in LANCOM routers beginning from LCOS 8.84RU4 and LCOS 9.00RU3 or later, however this is only true for devices that are factory defaulted with this LCOS version.
If you take any LANCOM devices, upgrade them LCOS 10.20ru1 and then factory default them, you get the very latest and most secure SSL/TLS defaults not to mention the latest defaults for all the newer features added over the years.
But There Is A Catch
Factory defaulting and setting up from scratch is easy if you have a device with a simple configuration, but on many devices you may have a long lived & complex configuration and you may have upgraded the LCOS version regularly over time until you arrived at the latest LCOS 10.20ru1 and herein lies a problem.
In the case of a router that has had the same configuration upgraded through the LCOS versions from 7.x to 8.x to 9.x to 10.x and finally to 10.20ru1 many of the default SSL & TLS settings will still be the original defaults from the original LCOS version the device was configured with and these older defaults may be a security threat.
LANCOM Make it Easy
In a previous Tech Blog post regarding PCI compliance (see here) we offered a script that tightened up many of the SSL/TLS settings to more modern, secure defaults. With the release of LCOS 10.20ru1 LANCOM have introduced a simple command line option that tightens SSL/TLS defaults to current LANCOM default settings.
At the CLI root run simply the following command.
ssldefaults -y
This command resets the SSL / TLS settings in all sub-menus of the current configuration to the default values after a security prompt. In LCOS, each module comes with its own sub-menu for SSL / TLS settings. This provides a way to reset all settings in these various sub-menus to the current secure default settings. The parameter -y ensures that the security prompt is automatically answered so that the command can be used non-interactively in scripts
LCOS 10.20 User Manual Addendum now available to download.
The User Manual Addendum for the new features in LCOS 10.20 RC2 is now available to download from the LANCOM FTP site.
ftp://ftp.lancom.de/Documentation/Reference-Manual/MA_LCOS-1020-Addendum_EN.pdf
LCOS 10.20 Release Candidate 2 Available to download
The power package for high-performance networks
We would like to invite you to test the newest developments of the LANCOM Operating System (LCOS): The LCOS 10.20 Release Candidate 2 now ready for a further practical test!
Apart from a variety of new features and improvement, with LCOS 10.20 RC2 you extend your LANCOM access points, WLAN controllers, routers, and gateways with full-fledged highlight functionalities for maximum quality enhancements as well as excellent network control.
Feature Highlights
NEW: WPA3 – State-of-the-art Wi-Fi security
The latest generation of Wi-Fi encryption – WPA3 (Wi-Fi Protected Access) – now offers you more security for your WLAN infrastructure. As the successor of WPA2, WPA3 offers important extensions and security features for small (“WPA3-Personal”) and large networks (“WPA3-Enterprise”). With LCOS 10.20, all LANCOM access points and WLAN routers support the new Wi-Fi security standard. Learn more in our Whitepaper
NEW: Auto Updater – always up-to-date
The Auto Updater keeps your installations up-to-date automatically: If desired, LANCOM devices can search for new software updates, and download and install them without any user interaction. You can choose whether to install only security updates, release updates, or all updates automatically. If automatic updates are not desired, the feature can still be used to check for new updates, which can then be installed with a single click.
Client Management – for best-ever Wi-Fi
Client Management steers Wi-Fi clients to the best available access point and frequency band. This feature improves the quality of wireless networks of all sizes—whether they operate stand-alone or orchestrated by the LANCOM Management Cloud. The popular Band Steering and Client Steering, which so far were separate features, have now been combined and even operate without a WLAN controller.
LEPS-U & LEPS-MAC
Keep control of who is in your Wi-Fi. With LEPS-U (LANCOM Enhanced Passphrase Security – User), individual clients or entire groups each receive a unique Wi-Fi password for an SSID. Using LEPS-MAC, you additionally authenticate the clients by their MAC address—ideal for secure corporate networks.
WAN Policy-Based NAT
WAN Policy-Based NAT allows an easy assignment of static WAN IPv4 addresses to desired services. Due to a NAT action in the firewall rules internal addresses are masked behind a WAN address from the Internet access provider. Ideal for scenarios e.g. for the operation of mail servers and web servers with different WAN addresses.
To give the LCOS 10.20RC2 pre-release a tryout please navigate to the LANCOM download area
WPA3 Coming Soon to compatible LANCOM devices in Free LCOS 10.20 Update
Better security for existing installations
LANCOM announces firmware update with new WLAN security standard WPA3
The Wi-Fi Alliance released the specification for the new wireless security standard WPA3 recently. LANCOM Systems, the leading German manufacturer of network infrastructure solutions for business and administration, is integrating WPA3 into its next operating system release (LCOS 10.20). The release of LCOS 10.20 is scheduled for this summer. The firmware can be loaded into all current WLAN routers and access points.
The WPA3 development results from the KRACK vulnerability in WPA2 and introduces new security features for small (“WPA3-Personal”) and large networks (“WPA3-Enterprise”). Hotspot users benefit from Enhanced Open, which for the first time enables individual encryption in open WLAN networks.
Update for all current WLAN products available
LANCOM is making WPA3 available with the next update of its LCOS operating system. With the help of LCOS 10.20, existing WLAN networks are also brought up to date with regard to safety. LCOS 10.20 will soon be available for free download from the LANCOM website.
www.lancom-systems.de/produkte/firmware/lcos-1020-rc1/
Basically, all LANCOM products are regularly provided with major updates throughout their lifetime. Even after the “end of sale” of a product, LANCOM will provide software updates with new features, detailed improvements and bug-fixes for download for another two years. Security updates are made available up to five years after the end of sale of a product.
LANCOM Advanced VPN Client 4 for Windows Released
Advanced VPN Client improvements 4.10 Rel Build 39753
New features
- Biometric authentication
(e.g. fingerprint- or face recognition) before VPN connection establishment. For protection against a VPN connection establishment by unauthorized third parties a biometric authentication has been added to the Advanced VPN Client. Immediately after pressing the “Connect” button in the client GUI there is a prompt for user authentication. The VPN connection is only established after a positive authentication. The Windows Hello functionality is required for biometric authentication, which is available as from Windows 8.1 or later. - Modernized client GUI
The client GUI and the tray popup window which is started from the taskbar have been adopted to the current Windows 10 design. - Complete 64 bit implementation of the Advanced VPN Client
As from this version, all components of the Advanced VPN Client are included in 64-bit versions. - New GUI for the credential provider, including the Hotspot authentication functionality.
For establishing the VPN tunnel prior to the Windows user authentication, it is now possible to do a Hotspot authentication on a re-designed GUI.
Bug-fixes / improvements
- Configuration of the VPN tunnel endpoint.
Multiple VPN tunnel endpoints can now be configured using their domain names. - Optimization of the DPD functionality
- FIPS-Inside
When installing from scratch or changing an existing configuration the FIPS mode can be enabled or disabled from within the installation routine. - Display of IPv6 connection information
IPv6 addresses are now displayed on the connection information page, too. - Enhancements within the Client Info Center
A new section with driver information has been added to the Client Info Center. For Windows 10 operating systems, driver version- and build number are now additionally displayed. - Improvements of the Hotspot functionality
The compatibility to Hotspot authentication pages has been extended.
Download the latest version of the LANCOM Advanced VPN Client for Windows here.
ECSE 4-Day Classroom Training Course
Become a master at deploying & troubleshooting Wi-Fi
Date – Monday 24th of September to Thursday 27th of September inclusive
Location – The Cliff @ Lyons www.cliffatlyons.ie
Cost – €2,295 per person
Trainer – Eddie Forero https://www.linkedin.com/in/heyeddie/
This 4-day course consists of classroom lectures and labs taught by Wi-Fi experts. Learn how to design, optimize, and troubleshoot better Wi-Fi using Ekahau products.
- Designed for Wi-Fi systems engineers, IT administrators, and other wireless professionals.
- Dive into all aspects of Wi-Fi life-cycle management including RF fundamentals, predictive designs, spectrum analysis, and much more
- Receive a highly regarded Ekahau Certified Survey Engineer (ECSE) certification after passing the certification exam
- Maximum of 12 people per class
Audience
This course and certification are designed for Wi-Fi systems engineers, IT administrators, and others working with Wi-Fi, who require an in-depth knowledge on how to deploy and maintain Wi-Fi networks using Ekahau Wi-Fi tools.
Content
Wireless LAN and RF fundamentals
- The life cycle of a Wi-Fi network
- How to design and deploy robust Wi-Fi networks
- Product installation & activation, basics
- Pre- and post deployment Wi-Fi site surveys
- Troubleshooting Wi-Fi issues
- Spectrum Analysis
- Reporting
- ECSE Certification Exam
Prerequisites
Students are expected to have the following skills & knowledge before attending this course:
- Basics of networking
- Strong general computer skills
- CWNA recommended (Not required)
- Windows laptop with Admin rights for installing software
Course Objectives
At the end of this course the student will hold expert knowledge in designing, deploying and troubleshooting Wi-Fi networks, using Ekahau Wi-Fi tools. The knowledge applies to all Wi-Fi network brands. A certification exam will be held at the end of the course.
Download ECSE training datasheet
Call us now on +353 (1) 4011064 or email training@ethos.ie to book your place.
LANCOM releases LCOS 10.20 Release Candidate 1
LANCOM Systems have recently released a preview of LCOS 10.20 and upcoming free firmware package for LANCOM APs, Routers, Central Site VPN Gateways and Wireless LAN Controllers. LCOS 1020 is currently offered as Release Candidate 1 and is not intended yet for production environments.
Feature-Highlight for the LCOS 10.20 RC1
- More Wi-Fi control – Individual Wi-Fi passwords for clients with LEPS-U and LEPS-MAC
- Best Wi-Fi – Top quality in the wireless network due to Client Management
- Always up to date – Automatic LCOS updates thanks to the Auto Updater
- More flexibility – Easy use of NAT in firewall rule
LEPS-U & LEPS-MAC
Keep control of who is in your Wi-Fi. With LEPS-U (LANCOM Enhanced Passphrase Security – User), individual clients or entire groups each receive a unique Wi-Fi password for an SSID. Using LEPS-MAC, you additionally authenticate the clients by their MAC address—ideal for secure corporate networks.
Client Management – for best-ever Wi-Fi
Client Management steers Wi-Fi clients to the best available access point and frequency band. This feature improves the quality of wireless networks of all sizes—whether they operate stand-alone or orchestrated by the LANCOM Management Cloud. The popular Band Steering and Client Steering, which so far were separate features, have now been combined and even operate without a WLAN controller.
Auto Updater – always up-to-date (Coming in LCOS 10.20 RC2)
The Auto Updater keeps your installations up-to-date automatically: If desired, LANCOM devices can search for new software updates, and download and install them without any user interaction. You can choose whether to install only security updates, release updates, or all updates automatically. If automatic updates are not desired, the feature can still be used to check for new updates, which can then be installed with a single click.
WAN Policy-Based NAT
WAN Policy-Based NAT allows an easy assignment of static WAN IPv4 addresses to desired services. Due to a NAT action in the firewall rules internal addresses are masked behind a WAN address from the Internet access provider. Ideal for scenarios e.g. for the operation of mail servers and web servers with different WAN addresses.
More Features
DSL bridge mode
VDSL routers now operate optionally in DSL bridge mode. This allows a device to work purely as a DSL modem. Ideal for scenarios where multiple DSL connections are operated on one router.
Even more flexibility for the LANCOM vRouter
The LANCOM vRouter now supports the Microsoft Hyper-V virtualization platform. Furthermore: Managing the vRouters is now even easier, because firmware updates are easy to import as a UPX file.
Layer-3 tunneling with the LMC
Entire Wi-Fi scenarios with overlay tunnels securely isolating the different networks can now be implemented with the LANCOM Management Cloud. As an alternative to the WLAN controller, layer-3 tunnels can now be established from the access point to a router also for LMC-based scenarios (based on L2TPv3). This allows traffic to be directed through an existing infrastructure (routers, switches) without the use of complex VLANs.
OCSP responder – more power for Smart Certificate
Maximum security with VPN access: Smart Certificate is the easy way to create digital certificates with your LANCOM device—without any need for an external certificate authority. This feature has now been extended to include the OCSP (Online Certificate Status Protocol) network protocol, which enables clients to automatically and efficiently query the integrated CA for the status of X.509 certificates.
LISP (Locator / ID Separation Protocol) support
The Locator / ID Separation Protocol (LISP) is a new routing architecture. LISP allows the implementation of highly scalable networks with an integrated routing protocol, tunneling, and overlays. Ideal for service providers or enterprise networks.
Public Spot CSV import
Public Spot management is now even easier: Hotspot users are easily imported and exported by text file (CSV).
Download
For more information and to download LCOS 10.20 RC1 to test please follow the link below.
https://www.lancom-systems.com/produkte/firmware/lcos-1020-rc1/
Ekahau Site Survey Version 9.1 – What’s New ???
Feature Summary
- macOS version is out of beta!
- Support for Ekahau Sidekick™
- Real-Time Frequency Monitor 2.0
- Improved UI look & feel
macOS version is out of beta!
ESS is now officially available for macOS, including simultaneous passive and active / throughput testing as well as spectrum analysis. Sidekick is the only supported external “adapter” for macOS, and GPS assisted surveys is still missing.
It’s been long, long, LONG time coming but it’s finally here! Ekahau Site Survey for macOS is now finally out of beta. “Out of beta” in this case means that macOS version is now feature complete and up to par* with its Windows counterpart. This in turn means that survey parts on macOS have been beefed up considerably and endless number of creases and wrinkles have been ironed out by our dev team.
The most worthwhile new features on the macOS version are the ability to do comprehensive passive surveys with the new Ekahau Sidekick™ and active surveys with the internal Wi-Fi adapter. No longer you need to attempt to do passive surveys with only the internal adapter and squint your eyes at the results while thinking “Maybe this’ll do?”.
Active surveying is also another critical growth spurt ESS macOS version had to take to measure up to its Windows version big brother. This covers both methods of active surveying: Ping and iPerf**. These features work exactly the same way as on Windows with all the usual functionalities and settings. However, we don’t have our iPerf server component (Ekahau Edition) yet properly converted to macOS version, so you might still want to set up the iPerf server on a Windows computer (at least if you’re using our Ekahau solution).
While Ekahau Sidekick™ is fully supported on macOS, unfortunately you cannot use the other external adapters (NIC-300 or SA-1) for passive surveys on that platform.
If you wish to experience the wonders of the macOS version for yourself, you can find it here: www.ekahau.com/download/ess
*”Remember when I said ‘up to par’ – I lied!” – GPS Survey is not supported on macOS
**Iperf support on macOS is this month’s bonus feature for you, our friends! However, the iperf implementation isn’t yet completely fine-tuned and doesn’t necessarily work on all macOS setups. We’ll be sure to work on it some more in the future releases!
Support for Ekahau Sidekick™
Ekahau Sidekick is the first ever Wi-Fi site survey device, and houses 2x enterprise-grade Wi-Fi adapters and an outstanding spectrum analyzer. It’s what we highly recommend for site surveys and troubleshooting – whether on macOS or Windows.
Ekahau Sidekick™ is our brand spanking new device for all your site survey and troubleshooting needs and a perfect companion for ESS. This lovely rectangle of a device boasts two high-quality 802.11ac Wi-Fi adapters, which allows you to perform high-quality passive surveys. This square-shaped powerhouse also houses a state-of-the-art dual-band spectrum analyzer, which offers spectrum results with unparalleled speed and resolution.
Ekahau Sidekick™ packs all these capabilities into one conveniently sized and easy-to-carry solution. You no longer need to turn your computer into a sci-fi movie prop with multiple different adapters and dongles sticking out of it, but instead you can just plug in one single device with all the needed functionalities. This is Plug & Play at its simplest and most refined form.
Ekahau Sidekick™ also finally allows you to do full passive and spectrum surveys on Mac as well, if that would be your platform of choice.
If this piqued your interest, you can find more about Ekahau Sidekick™ and its features from here: https://www.ekahau.com/products/sidekick/overview/
Real-Time Frequency Monitor 2.0
With the launch of Sidekick, we also wanted to beef up our Real-Time Frequency Monitor feature, so we added zooming, better customizability and more.
In addition to other heavy hitters, we’ve also given our Real-Time Frequency Monitor a substantial upgrade. Part of upgrades are about making this feature optimized for the AWESOME POWER of Ekahau Sidekick™ – all the awesomeness does take its toll on the computer. However, some of the upgrades are readily visible for the users.
Frequency Spectrum view has been now equipped with various new settings to let you decide what you want to see in this view and how you want to see it. Want to see spectrum in all its glory without Wi-Fi lines scribbled all over it. Done. Spectrum sweep averages with point density? Can do.
With the introduction of Ekahau Sidekick™, the spectrum scans are now much more detailed and higher resolution. This means that the finer details of results can get lost when viewed across the entire Wi-Fi spectrum. That’s why we have now also implemented zooming for Frequency Spectrum view, so you can drill down to finer details more easily. 2.4Ghz band has two zoom levels and 5Ghz band has three zoom levels.
If you’re using multiple screens with ESS or you are just tired of RTFM hogging half of the space on your main window, you’ve probably already discovered detaching RTFM into its own window. If this is a new feature for you, just click the odd icon next to the black arrows on the right side of the screen to make it happen.
In ESS 9.1.0 we have given this separate RTFM window a complete overhaul and added a fistful of customizability into the mix! You can now freely select which views you want to use on the detached RTFM window – just click the dots in the corner of the view to start!
Improved UI look & feel
Minor facelift.
Last but not least – well, maybe in this tough crowd – we’ve also given ESS user interface a proper dusting and a new paint job. As part of our changes, we also aimed to modernize and streamline the UI look and feel. Additionally, we’ve also made an effort to make Windows and Mac versions feel and look as similar as possible for consistent experience.
Don’t worry, we’ve not maimed ESS so it’s unrecognizable or anything. You’ll be able to find all the features in more or less in their familiar places, but the presentation is now less 2004 and more 2018.
That wraps up the new stuff in ESS 9.1.0! You can find more details in our release notes, if you wish to delve deeper in what we’ve been up to.
We’re always eager to hear more from you, folks! The easiest way to give us a shout are the following: @ekahauin Twitter or through our Support portal
Have fun!
Hannu Saarinen
The New Product Guy
Disabling SSLv3 & early TLS for PCI DSS compliance
PCI Compliance – SSL the time to migrate is now.
For over 20 years Secure Sockets Layer (SSL) has been in the market as one of the most widely-used encryption protocols ever released, and remains in widespread use today despite various security vulnerabilities exposed in the protocol. SSL/early TLS was removed as an example of strong cryptography in PCI DSS v3.1 (April 2015).
SSL v3.0 was superseded in 1999 by TLS v1.0, which has since been superseded by TLS v1.1 and v1.2. Now SSL & early TLS no longer meet minimum security standards due to security vulnerabilities in the protocol for which there are no fixes. It is critically important that entities upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.
PCI Compliance – How should businesses respond.
The best response is to disable SSL entirely and migrate to a more modern encryption protocol, which at the time of publication is a minimum of TLS v1.1, although entities are strongly encouraged to consider TLS v1.2 as not all implementations of TLS v1.1 are considered secure.
PCI Compliance – How do I ensure SSLv3.0 is disabled on my LANCOM router.
- If the router has a minimal configuration, upgrade the router to at least LCOS 8.84RU4 or 9.00RU3 (we recommend latest LCOS 10.12RU2 if router is capable), then factory default the router and configure from scratch.
- If the router has an extensive configuration we again recommend to update to the latest firmware possible and then apply the appropriate script found on LANCOM knowledge-base here.
PCI Compliance – Will disabling SSLv3.0 mean LANCOM routers pass PCI DSS compliance scans?
Yes but PCI DSS compliance scans from Approved Scanning Vendors check more than just SSLv3. After June 30, 2018, all entities MUST have stopped use of SSL & early TLS as a security control, and use only secure versions of the protocol. Failure to comply with this instruction will impact ASV scan results and will ultimately negatively impact on PCI compliance. A document on the PCI DSS requirements regarding SSL & early TLS can be read here.
For the convenience of LANCOM resellers looking to future proof their customer’s SSL/TLS settings, as well as pass PCI DSS testing now and into the future, we have formulated a script that will disable every instance of SSL v3.0, TLS v1.0 and TLS v1.1 leaving only the latest TLS v1.2 enabled. This script also locks down other security algorithm settings to ensure LANCOM routers will pass PCI DSS compliance scans.
- Disables SSLv3.0,
- Disables TLSv1.0
- Disables TLSv1.1
- Disables RC4-40, 56, & 128 Crypto-Algorithms
- Disables DES, DES40 & 3DES Crypto-Algorithms
- Disables 3des-cbc & 3des-ctr Cipher Algorithms
- Disables Arcfour, Arcfour 128 & Arcfour 256 Cipher Algorithms
- Disables Blowfish-cbc & Blowfish ctr Cipher Algorithms
- Disables hmac-md5 & hmac sha1 MAC Algorithms
- Disables DH Group 1 & 14 Key Exchange Algorithms
- Disables Diffie Hellman Groups 1 & 5
- Disables *ALL WAN remote access except for SSH
*Note HTTPS WAN remote access can be enabled if a valid SSL certificate from a trusted Certificate Authority is loaded into the router. Even with HTTPS disabled you can still fully manage a LANCOM router over SSH Port 22 using the latest version of LANconfig and the CLI.