Managing Legacy systems
I attended a webinar recently which was talking about the move from physical to virtual servers in large corporations. The analogy used was that today, approximately 70% of all servers can be virtualised very quickly, but the remaining 30% can take several years of effort. Hypervisor vendors are working hard to sort this problem out, but the interesting finding was that a large section of that problematic 30% of servers are running legacy applications or are indeed legacy operating systems.
This is odd as you would think that any IT operations person would want to migrate a legacy server from physical to virtual hardware as soon as humanly possible.
Legacy systems are still around for a few reasons.
2 Applications cannot be modified to work on newer OS platforms
3 Software Developers have long since left the company ( relates to point 2)
4 Legacy systems are connected to business critical servers, with little or no downtime allowed.
5 Systems have been stand-alone, or deployed in segregated networks
6 They run just fine Thank you very much, why upgrade at huge expense or business risk?
7 Security tools can sometimes eat resources on older hardware and platforms, affecting overall performance
8 IT security did not want Hypervisors being used in exposed networks, such as DMZ, so physical systems ruled the day which meant the legacy systems lived on.
There are some key security principles being broken in that list as we can all see, but let me highlight just a few;
-Unpatched and legacy systems are prime targets for hackers, as native security features are non-existent or have very well-known exploits that are difficult to defend against.
-Legacy operating systems are no longer supported by most Security tools including Endpoint protection products, client firewalls and Host intrusion prevention or detection products
-Stand-alone systems are more likely to be updated by USB drives than any other media.
For those sites where they have migrated some legacy applications, Virtualisation has effectively extended the system lifecycle significantly. Whereas previously, servers were upgraded in 3 or 5 yearly schedules that related to hardware warranty cycles, this problem no longer exists, so the justification of upgrading from Windows 2003>2008 for example can sometimes be hard to swallow; servers can be forgotten about after the virtualisation process has completed.
So how can Symantec help with these legacy systems?
Fortunately Symantec Critical System Protection (CSP) still works with many legacy operating systems. In fact a recent CSP release actually added a feature (EMP Enhanced Memory Protection) that specifically applies to legacy 32bit operating systems like Windows XPSp2/3, Windows 2000SP4,Windows 2003 Sp1/Sp2, Windows 2003R2 Sp1/Sp2, Windows Xpe.
On the Windows front, we support NT4, XP, 2000, and 2003 for example which are still in frequent use today ( especially Windows XP and XP embedded). But platform support (see here http://www.symantec.com/business/support/index?page=content&id=DOC6408&key=52463 ) is not the only reason customers choose this product on older systems. CSP also has very low performance overhead compared to most other products on the market, with CPU overhead figures between 1-6% and using as little as 25MB of RAM. I recently installed a CSP agent on a Windows NT4 server with 192 MB of total system RAM using a Pentium 3 500mhz CPU, and it works well with little or no impact to the running applications or OS.
CSP can also lock down these legacy systems reducing or even removing the requirement for patching, assuming that patches are just not available any more. In some cases CSP will prevent costly downtime and reduce the risk of breaches due to server misconfiguration. Protecting the OS and applications from memory based attacks, stopping devices like USB keys from being used inadvertently, and limiting access to critical configuration files or sensitive data is all still achievable on these legacy systems using CSP.
CSP can also be used to secure management layers within Virtualisation infrastructures to ensure that the correct tools are being used by the correct administrators or engineers, and it can secure critical configuration files such as SSL keys too. Symantec also has a tool called Virtualisation Security Manager, a component of our Control Compliance Suite (http://www.symantec.com/theme.jsp?themeid=control-compliance-suite-virtualization-security-manager ), which effectively acts as a security and administration “proxy” between your administrators and the management servers- great for enforcing security controls and for auditing and monitoring usage.