Maksim Kabakou - Fotolia
Our organization has a legacy F5 FirePass SSL VPN product that is approaching its end-of-life date. F5 Networks isn't ending technical support until 2019, but the "end-of-software development" date is October 2015. Does "end-of-software development" mean software patches won't be released after that date? Should we expedite our migration off of the platform as a result?
As traditional security products start to show their age, the end-of-life dilemma seems to be impacting enterprises more and more. And it's a real one, given what's at stake in terms of security. Still, that doesn't seem to change many people's ways, with Windows XP still running on about 12% of computers.
F5 Networks Inc. states on its website that "F5 maintains generous lifecycle policies that allow customers to enjoy many years of both support and new software releases." This is good -- until the patches stop coming. The way I understand it, that is indeed occurring this coming October. According to F5, its end-of-software development marks the end of the "regular support" phase and the beginning of the "extended support" phase, during which the development "has ceased considering the repair/maintenance of confirmed software/firmware defects for the designated platform or software release." In other words, you'll still get tech support, but any security flaws will likely not be addressed. Although, I have seen exceptions to this by vendors in the past, if the vulnerability is bad enough.
In my work performing vulnerability scans, penetration tests and product security assessments over the years, I've found that F5 products have minimal security vulnerabilities. A search for "FirePass" in the National Vulnerability Database reveals 18 flaws over the past decade, with none in the past couple of years. However you read that, it doesn't mean you can just ignore the problem. You need to consider what vulnerabilities might exist in the product -- as deployed in your environment -- at this point in time, which ones might crop up after October 2015 and any compensating controls you might be able to put in place. After careful consideration, you might find that it's simply time for an upgrade.
Ask the Expert:
Have a question about network security? Send it via email today. (All questions are anonymous.)
Learn how running end-of-life software can lead to compliance violations
Does end-of-life software pose a big threat to security?
How to create an end-of-life policy for mobile products in the enterprise
Dig Deeper on Secure software development
Related Q&A from Kevin Beaver
While most mobile platforms provide levels of security from mobile cryptojacking, IT must still be aware of the risks and procedures to address an ... Continue Reading
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.