Legacy systems have been a popular topic here recently (see http://isc.sans.org/diary.html?storyid=7528 and http://isc.sans.org/diary.html?storyid=7546). Any environment of sufficient size, complexity or age will have its share of legacy systems. While we can work with policy and management to phase them out, in the meantime one has to deal with the fact that they’re on the network and vulnerable, which makes your network vulnerable. Does it have to be that way? |
Kevin Liston 292 Posts ISC Handler Nov 8th 2009 |
Thread locked Subscribe |
Nov 8th 2009 1 decade ago |
I recently thought of creating a hard disk image of a legacy UNIX system and trying to run it under full platform virtualisation eg. qemu.
I believe qemu creates a virtual network interface in the Linux host system. That offers a lot of flexibility in what network traffic, if any, you can allow to reach the virtualised legacy system, and how: e.g. iptables NAT for some/all ports, or service-specific proxy applications running on the host, e.g.: squid/nginx/apache for HTTP(S), relaying mailservers SMTP, perdition for IMAP, or SSH accounts as a front-end to telnet. These may apply access control, or simply 'sanitise' incoming traffic. This idea would only work if you can emulate all the necessary hardware for the legacy system to function, and if the legacy system's OS supports that virtualised hardware. But if all goes well, your legacy system may perform better than before (if the host system's performance is greater than the legacy system after any performance hit due to virtualisation). And there are numerous other benefits: safety against the legacy system's hardware failing; being able to create snapshots of the virtualised legacy system's state for backup; or being able to run additional instances of the legacy system in isolation for safe testing. I'd also like to suggest 'arpwatch' as a nice way to detect the devices on your network, including the legacy devices that you or your client may have forgotten about. |
Steven C. 171 Posts |
Quote |
Nov 8th 2009 1 decade ago |
'arpwatch' is great for *nix.
If you need a quick check using a Windows workstation, check out ARP Monitor by BinaryPlant Software. It does sort of the same thing and has a nifty Windows GUI. See http://blog.kmint21.com/2008/03/12/arp-monitor/ The site is in Russian, but the software is in English. |
Jasey 93 Posts |
Quote |
Nov 9th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!