Keeping computing systems up to date

Irwin Gaines

Irwin Gaines

You have been using your laptop or desktop on the Fermilab network for several years, operating safely and securely. But all of the sudden, one morning your machine is blocked and you can no longer connect to the network. What’s up? The key could be the “several years” mentioned above. Operating systems for Windows, Mac and other systems are declared as “end-of-life” status by the software vendors, typically after three years of service. Such systems are not permitted on the lab network.

Why? Obviously, such end-of-life systems do not instantly become insecure on the date declared by the vendor. However, after that date, the vendor no longer supports such systems and, in particular, will not provide any patches to fix newly discovered security vulnerabilities. Since current operating systems typically receive several required patches each month and, since unpatched systems can be exploited within minutes of discovery of new vulnerabilities, we cannot afford to allow end-of-life systems to remain on our lab network. (Furthermore, we are regularly scanned by external organizations who will identify and flag us if they detect end-of-lie systems on our networks.)

This is especially relevant now because Mac OS 10.9 (Mavericks) was declared end-of-life by Apple on Dec. 1. Users of systems running this version were repeatedly warned during the weeks leading up to this date, but as of Dec. 1, any systems that had not updated their software to newer versions were blocked. Note that these rules apply to both laboratory-owned and laboratory-managed machines (which ordinarily will have their systems scheduled for software upgrades by support staff) and to personally or university owned and managed systems.

What can you do if you are using such a machine?

  1. Try to ensure that you upgrade to current software before its end-of-life date. The Service Desk can help you.
  2. If some particular software requires you to stay at the obsolete version, you must configure your system to use the “guest” network instead of the regular lab “fgz” network by changing the Service Set Identifier (SSID) of the network your machine connects to. This guest network is segregated from the regular network, so we can allow obsolete systems there. However, you will have the same level of connection to the rest of the lab that you would have from any external internet connection.
  3. If you have already been blocked from accessing the Fermilab network, you must not only move to the guest network, but also remediate the blocking event. Again, the Service Desk can help with this.

Irwin Gaines is the Fermilab chief security information officer.