Recently I had opportunity to work on a security problem. One firewall cluster member had failed and needed to be rebuilt. While typically not an issue, an additional challenge was that the software in use was so old, it was no longer available. In the end, it was absolutely necessary to use this old software as an entire environment was built with it. Eventually we were able to find a copy of the software and major disaster was averted, but it made me wonder if maybe, just maybe, are we doing them a DISservice by providing it?
This software has documented vulnerabilities, and because it is so old and no longer supported, these vulnerabilities will NOT be patched or fixed.
So it made me wonder if, by providing known-vulnerable software, are we not doing them a disservice? If we were talking about client software like an internet browser or word processor, I probably would not think that, because there are other softwares that can help deal with those vulnerbilities. Software like your anti-malware software on your desktop. But we're not dealing with simple client side software... We're talking about perimiter network security. This is the software that keeps your network safe from intrusion and compromise.
Let's put this in perspective if you're not sure you fully follow me...
Imagine this software is like... a door and a bouncer to your club (network). Now the task of the door is to keep unwanted people out, and the bouncer is to allow wanted people to go through the door. In a perfect world, only those you truly allow in will be allowed in.
Now in reality, technology is rarely so perfect. Despite all attempts to avoid them, there are inevitable vulnerabilities found and exploited in software. Typically, these are found and subsequently patched in rather short order. But every now and again, something major, with major implications are found. Recently this was demonstrated with the Heartbleed and POODLE vulnerabilities.
To go back to our bouncer and club, this would be the equivalent to finding the password and combination for the safe and the guest list. And to top it off, you would have no way of verifying whether or not the list has been altered.
At what point, as a provider, of service or product, do we stop providing legacy support?
So many times I see an environment, created over a decade ago, where NOTHING has been updated. Seriously? This blows my mind. How they managed to come so far for so long without any problem forcing an upgrade is a miracle in and of itself.
At what point do you say, "Yes, I know upgrading an entire environment will be difficult. Yes, because you have done absolutely no maintenance in the past decade it will be complicated to an epic scale, but you made your bed, you sleep in it; upgrade"?
But in this day and age, the sales amd procurement teams, those who ultimately make the decesions, and those who have to actually do the work are very rarely all on the same page. Those making the decisions want a perfect, maintenance free solution, the sales team promises it, the procurement team buy it, and those working with are left to deal with the consequences. This, unfortunately, leads to very large security gaps, which ultimately WILL he exploited if left alone.
So, by providing this old software and essentially aiding in the complacency, are we not doing more harm than otherwise forcing an upgrade to more secure software?