Cleanrooming Legacy Systems

Eric Rand,

The WCry worm threw into sharp relief how quickly the turnaround between exploit announcement and the use of said exploit in a high-profile attack can be: a vulnerability patched in March, with a public exploit shown in April, was used worldwide in early May.

Some large organizations may not have the agility to patch systems within that timespan under their existing plans - worse, some organizations may have legacy equipment that is not supported with patches for this kind of vulnerability.

How, then, can we mitigate the dangers for those systems?

Consider, by analogy, a patient undergoing a bone marrow transplant. During the process, they do not have a working immune system, so they must be kept isolated in a clean room to keep them from contracting an illness that they would not be able to fight off.

The same kind of situation can be set up with computers. A system that cannot be made immune with a patch can be isolated in a clean room. One way to do this is to remove the system from the organizational network entirely, though this is not always practical.

Another way is to set up an isolated subnet, where the vulnerable system is isolated from normal network traffic - firewalled off, so that no normal traffic can reach it. When the clean room environment has been set up, a carefully selected whitelist of systems that have been specifically evaluated as being immune to the vulnerability [systems that have been patched, or are not vulnerable in the first place] can be allowed to communicate with that legacy system.

By ensuring that only systems that are positively known to be immune to the vulnerability that is the reason for the legacy system's isolation can connect with the legacy system, any potential danger to the legacy system is isolated.

This will allow the legacy system to remain in at least partial use until such time as it can be decommissioned or replaced.

Cleanrooming is, by nature, a temporary measure - architectures like this cannot be effectively maintained in most organizations for long durations. Also, you cannot keep multiple systems within the same cleanroom - each legacy system must be isolated in their own cleanroom, else there is the risk of cross-infection between them.

Once a system has been identified for cleanrooming, your organization should consider planning to decommission or replace it at the first available opportunity.

Talk to us here at Castra for advice on how to protect your legacy systems, and protect the rest of your network from those legacy systems - we'll be more than happy to help.