Maksim Kabakou - Fotolia
Our organization has a legacy F5 FirePass SSL VPN product that is approaching its end-of-life date. F5 Networks isn't ending technical support until 2019, but the "end-of-software development" date is October 2015. Does "end-of-software development" mean software patches won't be released after that date? Should we expedite our migration off of the platform as a result?
As traditional security products start to show their age, the end-of-life dilemma seems to be impacting enterprises more and more. And it's a real one, given what's at stake in terms of security. Still, that doesn't seem to change many people's ways, with Windows XP still running on about 12% of computers.
F5 Networks Inc. states on its website that "F5 maintains generous lifecycle policies that allow customers to enjoy many years of both support and new software releases." This is good -- until the patches stop coming. The way I understand it, that is indeed occurring this coming October. According to F5, its end-of-software development marks the end of the "regular support" phase and the beginning of the "extended support" phase, during which the development "has ceased considering the repair/maintenance of confirmed software/firmware defects for the designated platform or software release." In other words, you'll still get tech support, but any security flaws will likely not be addressed. Although, I have seen exceptions to this by vendors in the past, if the vulnerability is bad enough.
In my work performing vulnerability scans, penetration tests and product security assessments over the years, I've found that F5 products have minimal security vulnerabilities. A search for "FirePass" in the National Vulnerability Database reveals 18 flaws over the past decade, with none in the past couple of years. However you read that, it doesn't mean you can just ignore the problem. You need to consider what vulnerabilities might exist in the product -- as deployed in your environment -- at this point in time, which ones might crop up after October 2015 and any compensating controls you might be able to put in place. After careful consideration, you might find that it's simply time for an upgrade.
Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)
Learn how running end-of-life software can lead to compliance violations
Does end-of-life software pose a big threat to security?
How to create an end-of-life policy for mobile products in the enterprise
Dig Deeper on Secure software development
Related Q&A from Kevin Beaver
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading