Contrary to my numerous requests over the years an organization continues to redeploy EOS hardware into production.
In the latest case, an organization has chosen to take a good number of old 2900/3500XL switches to be put back into service. Production or non-production (yet still connected to the production network), I consider this to be highly undesirable. The 3500XL EN line was announced for EOS in July 2002, nearly eight years ago. It went EOS in July 2007, two and a half years ago. There have been no software updates for nearly 3 years now. http://www.cisco.com/en/US/products/hw/switches/ps637/prod_eol_notice09186a008032d190.html
However, I am not able to find the clear cut "Best Practice" which says definitively that this is highly undesirable or clearly not recommended. I know it seems like a no-brainer for an enterprise that invests into Cisco hardware for its data transport infrastructure. Some may assume an organization like such should have already arrived at such an opinion independently without significant debate or resistance, but that is not the case here.
Google search results only find product EOS announcements, not general instructions of "best practices" for a large infrastructure. If NIST 800-100, 800-53 address this explicitly, I’m missing it. The best I can derive is 800-53’s SI-2 and SI-5. SI-2 may apply as there is no flaw remediation since July 2007 and Cisco potentially not even acknowledge a flaw as the product is now EOSupport.
So, I am asking security-minded peer professionals to let me know where I may find documented proof that an organization would not redeploy into production old EOS hardware. This proof/recommendation does NOT have to come from Cisco. It may be a technology foundation/edu/organization/governing body. I am sure some here have already encountered this (years ago) and may recall a good document/bulletin from a technology foundation/edu/organization/governing body, like Sans, NIST, etc that addresses this.
Please post any URL here.
If anyone knows of a well moderated security policy forum (not a technical how-to forum) where topics like this are addressed, I would greatly appreciate those recommendations as well.
If I am wrong and I should be thankful for the redeployment of XLs into production, please also say so here.
Please do not talk about the economy as these decisions are made by an organization with deep pockets which does not hesitate to spend $2-5K per user on replacement desktop hardware, and not just for CAD using engineer types, but even for the common Word/Excel/Outlook user types.