Legacy Systems Policy

Revised: March 2, 2007

Note: There is now a UCAR Legacy Hosts policy. This document was revised March 2, 2007, to remove any language which might conflict with this UCAR policy

Legacy Systems are defined as networked computers for which current updates and security-critical patches are not available. In ACOM, these are usually used in lab environments which have constraints that make upgrading such systems difficult, costly, or impossible. Legacy Systems may also be defined as those systems which ACOM can no longer support in terms of their security. Windows 2000 is an example of this -- while it is possible to get security patches for Windows 2000, the procedures are cumbersome and the updates may not be timely enough to respond to identified security problems.

If a computer cannot be networked or if it is protected on an unroutable private network behind a firewall device or front-end machine, it is not covered by these policies.

The following operating systems are considered "legacy" (see our Operating Systems Support Policy).

  • Windows systems not joined to the CIT domain which are not visitor laptops.
  • Windows 95, 98, ME, NT, 2000
  • Mac OS 7.x, 8.x, 9.x, or OS X prior to OS X 10.4
  • Redhat Linux 6.x, 7.x, 8.x, or 9.x.
  • Fedora Core Linux except for the current version and one version prior to the current version as long as updates are available for the prior version.
  • Linux installations which are not supported by ACOM systems staff, or which are not acquiring updates via an automated patch update procedure.
  • Digital Unix (all versions)
  • HP/UX, Solaris, AIX, or Irix other than current versions.


Guest Networks

All legacy systems within ACOM must be behind a firewall device (see below) or front-end machine. All visitor systems which are legacy systems must be certified by a primary System Administrator and placed either on the wireless network or on a guest or external network.

ACOM will not provide network services such as printing, file sharing, and email to guest networks.

Firewall Devices

Firewall devices create small private networks of 1 or a few machines which can communicate freely with each other, but which are not accessible from outside of their private network. The private network is separate from the primary UCAR network except for certain allowed outbound connections, such as to web sites. File shares may not be provided to the outside network, but computers on private networks may file share with folders and filesystems located on the UCAR network.

For example, data may be collected by a lab instrument, but instead of being written to a local C:\data folder, it would instead write to a S:\data folder, where S:\ is a network connection to a managed server on the UCAR network.

The following rules apply to Firewall Devices which provide private networks.

  • The private network may be provided by a NAT-capable firewall box or by a front-end Linux machine with a separate network connection for the private network, and firewall rules in place limiting access to hosts on the private network. In such a configuration, the front-end machine may not act as a NAT device.
  • All legacy machines which are not on a guest network must be on a private network.
  • All unmanaged machines which are not on a guest network must be on a private network. Unamanaged machines are machines which are not on the CIT domain or are otherwise not under the administrative control of ACOM's Primary Sysadmins.
  • The Firewall Devices will be selected, purchased and provided by the ACOM Computing Group.
  • The Firewall Device will be configured, maintained, and deployed by Primary Sysadmins only.
  • By default, firewall devices will allow outbound connections for file sharing. Upon request, such devices may also allow outbound web access.
  • Machines on the private network behind the firewall device may not have access to printing, email, and other networking resources. These are functions which should not be performed on legacy systems; but rather on well-managed systems (on the CIT domain for Windows machines) on the UCAR network.
  • The use of private networks is discouraged if there is an option to instead provide the software and services you need on a modern, well-supported platform with a updated operating system and Antivirus protection.
  • While not required, Antivirus software and critical OS updates are strongly encouraged, even on systems on private networks.




ACOM | Atmospheric Chemistry Observations & Modeling