End-of-life network blocking: not just for desktops anymore

Irwin Gaines

Art Lee

Most of you are familiar with the regular process of updating operating systems and applications. These patches deliver new and improved features and fix various bugs as they are discovered. It is vital that security patches are applied as quickly as possible so systems are not left vulnerable to exploitation.

Over time, vendors drop support for older versions of their software and no longer deliver upgrades or vulnerability patches for these obsolete versions. Instead, you should upgrade to the most current operating system version.

Systems for which support has been dropped are known as “end-of-life systems,” and these are not allowed on the lab network. This policy applies not only to Mac and Windows laptops, desktops and servers (for which the current and end-of-life systems are well-publicized), but also to tablets, phones and any other devices that connect to the internet. Until recently, end-of-life phones and tablets were not blocked at the lab, but given the prevalence of malicious software attacks against such devices, we must begin blocking these devices just as we have been doing for Mac, Windows and Linux systems for some time.

How does this affect you?

  • For centrally managed systems (most lab-owned Mac, Windows and Linux devices), patches and upgrades are applied automatically; you simply need to reboot when a patch requires it. Also, when the operating system is declared end-of-life, you need to cooperate with the full system upgrade. This may require upgrading or replacing the hardware as well, since older hardware may not be capable of running the latest operating system software versions.
  • For noncentrally managed systems (including all personally owned devices), you are responsible for getting patches and system upgrades applied. Any device that is found by our regular scans to be running end-of-life operating systems will be blocked from connecting to the laboratory network (the fgz wireless network and all wired connections). It is too dangerous to allow such systems on our network; unauthorized attackers can exploit vulnerabilities in outdated systems as soon as they are discovered.
  • If you are running legacy software that won’t be able to function if you upgrade your operating system, you can temporarily move your system to the wireless guest network. But be aware that the guest network does not have full access to all lab resources and does not allow you to offer any services to the internet. If you need your device to be visible from outside Fermilab, you must be running up-to-date software. If specific exploits are discovered for obsolete systems, those systems will be banned from the guest network. Replace legacy systems with up-to-date hardware and software as soon as possible. Keeping your systems up-to-date, even if you have to replace hardware, is part of the cost of doing business.

For current lists of allowed and disallowed versions of operating systems, visit the Cybersecurity website, security.fnal.gov.

Irwin Gaines is the Fermilab chief security information officer. Art Lee is the threat management and incident response leader in the Office of the CIO.