End-of-Sale (EOS) and End-of-Life (EOL) dates are important lifecycle events for infrastructure devices such as firewalls, switches and routers. But it can be difficult to find and keep track of this information. 

To make that piece easier, we recently launched a new element of our NWG Manage service. Twice a year, we’ll provide a report sharing which of our customers’ devices have reached these lifecycle milestones, as well as recommendations for budgeting and replacement. 

Regardless of whether you’re already working with us to manage your network security, we wanted to share a blog post digging into what happens when devices reach EOS and EOL, why each milestone is important and what actions you should take. With proper planning using this information, organizations can prevent extended disruptions, project delays, unbudgeted costs and unpatchable vulnerabilities.

What are the different phases in the firewall life cycle? 

The different phases in the firewall lifecycle vary by manufacturer, but in general, they happen in the following order. More detail on what each one means, below:

1. EOS announced
2. EOL - This phase contains a few additional steps:
   
   1. End of hardware replacement
   2. End of software updates
   3. End of support

What does End-of-Sale (EOS) mean (and what are the associated risks)?

When a manufacturer announces an EOS date, the clock starts ticking. After the EOS date, that specific model will no longer be available for purchase. Replacement will still be covered under the support contract until you reach the date the vendor lists as “End of hardware replacement” (more on that below). But if you have this model in your environment and need one for a new location, you won’t be able to buy it from the vendor anymore.

Fortunately, you’ll have some warning: There are usually several years between EOS and EOL. But the EOS announcement should trigger you to start planning for replacement — beginning with deciding on a new standard configuration with an up-to-date model — for a couple of reasons: 

• More generations = more that can go wrong. Let’s say you’re running EOS hardware and you need to buy another of those devices for a new location. Your only option will be next-generation hardware that may run a completely different version of the operating system. Different hardware lines often require different code trains, so now you have compatibility issues. When you have generational spacing, it adds behavioral differences and an increased level of complexity. The lack of standardization in an environment — especially for larger environments — becomes harder to manage, and there’s more that can go wrong.
• Project delays and budgetary surprises. If you’re caught flat-footed when you have to deploy new hardware, you may need to scramble to find a new standard — a time-consuming and stressful process when done last-minute. Even without a standard, new hardware usually means new software/firmware, and this can mean you’re unable to simply migrate a config. It may even mean having to rebuild the device configuration completely. All of this adds up to other project delays. Hasty decisions. Unexpected and unbudgeted costs. You may end up with something that’s not an optimal choice for your environment, and now you’re stuck with it for the foreseeable future.

What does End of Life (EOL) mean (and what are the associated risks)?

As we mentioned above, once a device reaches its EOS date, it enters the EOL phase, with a few additional steps (the specifics vary slightly by manufacturer):

• End of hardware replacement: The manufacturer will stop issuing warranty replacements for devices that fail in the field. At this point, the device has usually been EOS for some time, so buying a replacement isn’t an option. This is obviously a huge risk to any organization. If a device fails and you haven’t planned ahead with a replacement, you’re facing significant disruption. 
• End of software updates: The manufacturer will stop releasing new features, fixing bugs and patching security vulnerabilities. If a critical vulnerability is found on EOL software, there will be no patch to fix or mitigate it, posing extreme risk. When patching the vulnerability isn’t possible, at best, your team has to scramble to find workarounds, mitigation, or do a rushed forklift upgrade. Not being able to update software over time means more potential incompatibilities, which will force more time-consuming workarounds to cover the vulnerabilities. 
• End of support: The manufacturer will stop taking support calls on the EOL model.  This is the cherry on top of the other risks that all compound one another when a device that has become EOL is still in production. 

How to plan for EOS and EOL?

Define a lifecycle management policy

Broadly speaking, you need to define your organization’s device lifecycle management program or policy: Something that articulates how often these devices are reviewed, and how often — and at what point — you budget for new or replacement technologies. 

For example, this could mean reviewing annually, as well as when an event like a merger or acquisition takes place. 

Knowing that you’re unlikely to get the budget for every device that’s reaching EOL in the next few years, your policy also needs to define how you’ll make decisions about prioritizing replacement. The most common approach to this is to prioritize based on when things go EOL and replace them, for example, the year before they do that. This maximizes the investment you’ve made in your current device while avoiding running into the problems listed above. 

Gather EOL/EOS data on your devices

Once you know what will trigger a review, you need a way to gather EOL/EOS information on all the devices in your environment. This should include devices that have had an EOS or EOL announced as well as those with no EOL/EOS (these devices may be natural candidates for your new standard).

The good news for our NWG Manage customers is that we’ll take care of this for you, sharing a report with you twice per year.

How to gather this data if you’re not an NWG Manage Customer

If you’re not an NWG Manage customer, this process is a bit more complicated — and, frankly, annoying. Essentially, you need to make a list of all your unique makes and models, then find vendor info on EOL/EOS. 

Finding this info takes a bit of legwork. Vendors will send email notifications to their customer base when EOS/EOL dates are announced, but that can mean sifting through your inbox to find them all. The alternative is to go to each vendor’s website, and the EOL/EOS information is usually only accessible by logging in with your support credentials. 

If there are published EOL/EOS dates, you’ll want to keep track of when they are, sorting by EOL date for planning and prioritization. And keep in mind that this should be an ongoing task: Stay vigilant for new announcements, and be sure to update your list according to your review plan.

Prioritize

In an ideal world, you’d have no devices in your environment that are already EOL. And anything EOS would have a plan for replacement. But we know that tech debt is real, and budgeting is messy. So we suggest thinking about prioritization by device age and level of risk (which is also how our Device Lifecycle Report is structured):

1. Already EOL/Legacy. These should be prioritized for immediate replacement as they no longer receive critical updates or support from the vendor.
2. Devices that will reach their EOL during the next year. These should be prioritized for replacement within the year.
3. Devices reaching EOL the year after that, etc.
4. Devices in chronological order by their EOS date.

Find Appropriate Replacements

When it’s time to find a new standard, there are a few things to consider. If your needs are fairly static, you may be able to find an appropriate replacement by identifying the new model of what you already have, as long as it fits your same requirements. 

But since it’s likely been five-ish years (or more) since you purchased the current device, this is a good opportunity to assess whether your needs have changed and if there’s a better fit out there than a one-to-one replacement. It’s also possible the market has changed, and there could be a better solution today from a different vendor. 

Again, good news for NWG Manage customers because we can work directly with you to make replacement recommendations based on your needs and unique environment.

Conclusion

This advice might sound straightforward. But we’ve seen many organizations with EOL hardware suddenly forced to move urgently, sometimes with significant dollars attached. The more you can make key stakeholders aware of the importance of planning — and the rationale behind replacement decisions — the more you can make those decisions proactively instead of reactively. Preventative maintenance can help you avoid adverse events, unexpected expenses and work delays.

‍