Tech Tip: Maintain secure legacy systems

Find out why you should maintain secure legacy systems.

By Jonathan Yarden

As most IT pros are painfully aware, keeping legacy computer systems, operating systems, and applications updated isn't as simple as it sounds. But the costs of not keeping systems up to date are alarmingly simple: Eventually, someone or something will crawl into a system and cause a problem.

There's always the chance that patches and updates will end up breaking something else, and working with legacy systems can cause even more problems. Supporting a long-outdated operating system or application when facing the ever-present issue of not being able to get patches or updates presents a constant challenge.

I've seen a large number of "orphaned" computer systems in companies, with no backups or manuals and running on ancient hardware. Nobody really knows what some of these systems do, but if one of them croaks, it means LAN users can't get to the mainframe, or the voice mail system doesn't work, or some other crisis. Try hunting for original Xenix disks some time.

Virtual machine software allows one physical computer to operate as multiple "virtual" computers, and each is able to operate completely isolated from the others. Virtual machines can consolidate multiple legacy systems using outdated (and possibly insecure) software onto one physical machine. More important, the virtual "hard drives" for these virtual systems are just regular files, which you can restore quickly in the event of a serious problem.

Old operating systems and applications don't always go away rapidly. I'm not surprised to see ancient copies of OS/2, SCO UNIX, Novell NetWare, Windows NT 3.5, and even Xenix still used in production environments. Many of these systems are unpatched and remain completely open for intrusion. If a corporate network is broken into—and they are all the time—these machines are sitting ducks.

This is where the idea of a virtual machine makes fantastic sense. Many people have faced the ordeal of reinstalling entire systems after an exploit, crash, or a patch or update caused an application to fail.

This is one reason organizations frequently use virtual machine software to set up honey pots for the express purpose of attracting hackers and figuring out how they broke in. You can take the compromised virtual machine "offline" and analyze it while booting up a fresh machine to take its place. It's much faster than reinstalling a completely new honey pot—and considerably cheaper.

Then there's the case when someone exploits a production system running on a virtual machine, or the system fails to operate properly after you apply an update. If you created a backup copy of your virtual computer hard drive (which is a file) before the exploit or botched update, you could quickly return the system to operation and perhaps diagnose the problem in another virtual machine. This could feasibly return a system to operation in minutes instead of hours, while still allowing you to investigate the issue.

Two companies that offer products for implementing virtual machines in this fashion are VMware and Connectix. While I'm more familiar with VMware's product, Connectix's Virtual PC looks compelling. Both of these packages enable you to split a single physical computer into multiple virtual computers, which just might save you a lot of time and trouble when—not if—an older legacy system is broken into or decides to bite the dust.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Editor's Picks

Free Newsletters, In your Inbox