Welcome to the inaugural technical blog series for TGA.

Our first blog will be Part 1 of a 3-part series to cover one of the most hotly debated topics between IT and management:  When should we upgrade?

As we contemplated subjects for our first post, this topic just seemed to jump out at us after we discovered equipment that was still in continuous use since 1999!  Because this is such a broad topic in many respects, we will divide it into three parts. First, we will cover software, next we will move on to hardware, and we will conclude with a review of Cisco’s End-of-Sale notice.  We will present examples of specific software, hardware and EoX documents along with definitive reasoning that will arm you with the information you will need when it is time to discuss this subject with management.

Part 1 – The Software Upgrade

We will start our series with the software upgrade.  Often, software upgrades are labor- or time-only upgrades from annual manufacturer support contracts, or, in some cases, free software without a contract.  This is where the decision to upgrade becomes difficult.  The downside considerations include the after-hours labor, the down time and getting end-user acceptance.  So WHY do we go through all that effort to upgrade? Typically, the reasons for any upgrade are simple:

1. To resolve a software bug – either to fix a failure or to correct security vulnerabilities of a critical nature
2. To add a new functionality provided by the new software version, or a software performance enhancement provided by newer software
3. To maintain support from the vendor (More on this in Part 3 of this series!)
4. Staying current for critical devices

Of these four common upgrade scenarios, the security hole is the most difficult to gauge.  And often, the challenge of the security vulnerability is the knowledge of its existence.  To combat this situation, security notices involving critical bugs can be received from numerous sources. A few examples are: Cisco Product Security Incident Response Team emails, Security Tracker, and Microsoft Security Notification Services. Every security risk MUST be individually assessed as to the impact it has on your network and configuration. Cisco offers security patches for FREE without a SMARTNet support contract.  In the event that your device is not under a support contract and is not end of support (often called EoX – for End of Sale/Life/Support) your Cisco partner can provide these security patches as can a Cisco TAC engineer.

Here are a few links to help you get started:

http://www.securitytracker.com/

Security Tracker offers a free weekly email and a daily paid-for premium notification service. Both services cross all vendors and products.

http://www.cisco.com/go/psirt

Cisco offers email notifications, an RSS feed and a Web-based software checker. All of these are free services.

http://technet.microsoft.com/en-us/security/dd252948

Microsoft offers multiple levels of notification from monthly to “timely” notices. All of these are free services.

Vendor Support or an end-of-vendor support for Version X is often seen as a weak consideration for an upgrade.  However, this should be looked at from 2 standpoints.  First, how critical to the operational security and effectiveness of your organization is the device? Can a security compromise of this device shut down business operations or compromise the security of the organization?  Due to all the recent security breaches at large corporations, this has been getting a little more attention lately.  Firewalls, WAN routers, IPS sensors, VPN appliances, and wireless elements all fit in a critical security infrastructure category.    Second, if there is a problem and you don’t upgrade, will you be able to get any support?  Vendors will set an end-of-support date and, after that date, the answer to most – and often ALL – problems is to upgrade to Version X and we can help you.  Even if your consultant will support you, if they get to a roadblock and have to call the vendor, a mandatory upgrade will be required.

Staying current is a melding of 1 and 2.  Consider a border firewall or an Internet Edge router.  This is one subset of devices where the current software versions are a double-edged sword.  Staying current will help prevent problems from known security vulnerabilities, and conversely, have you on the cutting edge of newer software with new bugs and vulnerabilities.  This all adds up to making critical devices a whole category for upgrades.  Would you run a firewall on 3-year-old software? To address this, a periodic reading of release notes and review of known bugs and security issues are highly recommended!  Enter the Cisco IOS Software checker for IOS devices. (http://tools.cisco.com/security/center/selectIOSVersion.x)

We have explained why upgrading is critical, and mentioned a few notification services. In our next article we will cover hardware upgrades and how they can merge with a software upgrade.