Devices with an outdated operating system

Regardless of the following scenarios, it should be noted that when continuing to operate end devices with an outdated operating system, users can infect those devices with malware. When operating without an active network connection, this can happen via infected USB sticks, for example. In a scenario with an active network connection, this can occur through access to infected websites or data.

In order to in the event of an infection quickly restore the system to a "clean" state, it is strongly recommended to create an image of the clean installation.

Users who transfer data from/to end devices with an outdated operating system need up-to-date software and anti-virus protection on their "normal" workplace (like any other workplace at the university) so that any malware that may have been caught on the computer with an outdated operating system is not transferred to the workplace computer.

This also applies to end devices that may not be updated promptly for technical or organisational reasons despite an operating system that is still actively maintained!

The safest option is to operate the computer offline without a network connection. Even in this scenario, the computer can still be infected with malware, e.g. via an infected USB stick. However, this should only have an effect on the computer itself, as media that is subsequently infected on the computer will hopefully only be connected to computers with an up-to-date software version/anti-virus protection.

Pro:

• Even if the computer (e.g. via USB stick) is infected with malware, it cannot attack other computers

Contra:

• The effort required to transfer data from/to the computer using external storage media.

The computer is operated in a network with other computers or measuring devices in an isolated local network. This island has no (direct) connection to the university network. Data is transferred to computers in the university network via external storage media. Alternatively, a suitably well-secured jump server can serve as a data exchange point.

In this scenario, direct access from the devices on the local network to the university network and vice versa is not possible.

Pro:

• Work can be simplified via local networking / the jump server

Contra:

• Within the local network, malware can jump over to the other devices
• The jump server must be particularly well secured
• Not all application scenarios are suitable for a jump server
• Effort to maintain a jump server

If the computer with an outdated operating system is connected to the university network via a NAT gateway, the NAT gateway can control the data traffic from/to the computer with an outdated operating system. The computer can be accessed from the university network via port forwarding, and the computer can access the university network via the NAT functionality.

Pro:

• Data can be exchanged directly with computers in the university network
• Depending on the forwarding/NAT rules, only authorised data connections can be established. In the standard setting of a NAT gateway, the computer cannot be attacked via the network from the rest of the university network.

Contra:

• The NAT gateway must be administered securely
• The computer can be infected by accessing infected targets on the Internet (e.g. via a browser)
• If the computer is infected, it can attack other computers in the university network/Internet via the NAT gateway, unless the NAT gateway restricts the data traffic coming from the computer
• Effort to set up the NAT gateway and operate it securely