<div>
How about the Xp machines being on a separate switch and separate subnet with a basic switch.with a san or nas device.<br />
You can have a newer machine with 2 nics scan that san every say 1 to 5 minutes and move any files found off and onto their new destination...<br />
A cheap firewall can even do better isolation.<br />
<br />
or even easier, find a nas device that is capable of having 2 separate subnets on 2 interfaces.<br />
<br />
We basically use something similar to move hourly data off of our SCADA systems and into our GIS system with no possibility of cross communication...
</div>


TME / Network Security Evangelist

J Spoor

Principal Software Engineer

Dr. Klahn

<div>
I understand your challenges, <br />
these medical devices can be considered IoT devices, they offer the same challenges<br />
-Older / Unpatched operating systems that pose security risks, e.g. getting breached to 1) be included in DDoS attacks, 2) being used to spread malware<br />
<br />
Luckily you do have a SonicWall, I hope you have it fully licensed?<br />
<br />
SonicWall can help you here with the following<br />
1) Segment IoT devices away from the corporate LAN<br />
2) Protect / Virtually patch IoT devices with Intrusion Prevention Service (IPS), if it runs a web server that needs to be publically available also suggest adding a WAF in front of it. If it runs a web server and it's HTTPS use SSL Decryption<br />
3) Protect your LAN from the IoT device incase of infection, make sure that traffic to and from these devises are scanned by IPS and Gateway Anti-Malware (Gateway AV and Gateway AntiSpyware), SonicWall is one of the few vendors that can do GAV on SMB/CIFS (aka filesharing)<br />
4) SonicWall has some HIPAA guidelines for you, also SonicWall has some pre-sales folks specialized on HIPAA certification<br />
<br />
Addendum, dual homing (2 nics) will only trigger you to still have a port in your LAN, bad idea... The only valid reason for dual NICs is if you want to create an External DMZ: allow HTTP traffic from WAN to device and an Internal DMZ: allow device to contact LAN. Both DMZ should be fully scanned by your SonicWall device.<br />
<br />
What SonicWall do you have? The Gen 6.5 series: NSa x650 has more memory and is better aimed to do DPI-SSL (SSL Decryption)<br />
What firmware are you running?<br />
Do you have the full licenses? Suggest you include Capture ATP
</div>


Network Engineer

BlackJack11

<div>
I know the above is a lot of work, but I truly highly recommend segmentation!!!<br />
And if you can't patch the Embedded XP, use virtual patching (IPS and WAF) instead
</div>


<div>
This is a problem because you are trying to convert something insecure into something else secure and that's always a difficult issue to do with provable safety.<br />
<br />
You could <i>try</i> this. &nbsp;It is <u>not</u> 100% provably safe but it is &quot;reasonable&quot; safety. &nbsp;<i>You would absolutely need a HIPPI expert review it to see if it is acceptable</i>.<br />
<br />
Block off the XP machines on their own physical subnet with one other system and a firewall to the rest of the network. &nbsp;I'd use linux on a thin client for the &quot;other system&quot; as (1) this is not a heavy load to lift and (b) Windows is then out of the picture. &nbsp;Set the firewall up so that it will only pass outgoing Secure FTP (SFTP) traffic from the &quot;other system&quot; and no other traffic at all.<br />
<br />
Let the XP systems send their PDF files to the &quot;other system&quot; on a network share using Samba. &nbsp;This gets XP reliance on SMBv1, and indeed XP itself, completely out of the picture.<br />
<br />
Now get Microsoft Networking out of the picture. &nbsp;Have the &quot;other system&quot; check the share once a minute and if anything is in it, SFTP the file out through the firewall to a cooperating system on the primary network. &nbsp;The XP system can not get to the main network at all as the firewall is only permitting traffic from the &quot;other system&quot;, everything but SFTP is blocked, and SFTP did not come with XP and should not be present.<br />
<br />
Have another &quot;other system&quot; on the primary network look run an SFTP receiver, look at its SFTP folder once a minute and if anything is in it, send it to the destination.
</div>


<div>
The least you can do is run them on their private LAN behind a firewall that filters all traffic except the stuf that is allowed.<br />
and allow access only to a device outside that net that isn;t used for anything else (NAS like).<br />
<br />
Or put the NAS on the SAME LAN and allow only outside access to that NAS.
</div>


<div>
<blockquote>
<br />
Let the XP systems send their PDF files to the &quot;other system&quot; on a network share using Samba. &nbsp;This gets XP reliance on SMBv1, and indeed XP itself, completely out of the picture<br />

</blockquote>
<br />
This requires SMB/CIFS traffic to be allowed from the IoT Segment to the LAN segment. Please make sure this traffic is scanned by an Intrustion Prevnetion Service, and a Gateway Anti Virus.<br />
CIFS/SMB/File Sharing is one of the main mechanisms/protocols used by<br />
a) viruses to spread<br />
b) hackers to acquire access to more systems<br />
<br />
FYI, also suggest you disable SMB v1 in the LAN on any systems that does not need to be accesses by these ancient XP devices...<br />
SMB v1 was a target for epxloits like Spectre and Metldown, also see Eternal Blue regarding this :)<br />
Not wanting to praise SonicWall too much, but their IPS and GAV can block these.
</div>


☠ MASQ ☠

masnrock

The More I know, the more I don't know

David Johnson, CD

<div>
@DrCline, SFTP is just hiding the transfers behind SSL/TLS encryption.... as he has a SonicWall that can do Gateway AV and IPS, encrypting traffic to LAN hides possible attacks and malware... and just complicates things...
</div>


<div>
SMBv1 was a target long before that because passwords can be guessed/calculated from traffic. (MSCHAP attacks, 1998-2008 era, it is/was also part of the core issue with PPTP).<br />
Spectre &amp;&nbsp;Meltdown are quite different methods to get any value from memory cells anywhere in memory &nbsp;even when non-accessible (other process, kernel space) or in a different VM on the same hardware (same memory set effectively) using a timing attack where the cause is a Hardware failure (speculative execution). <br />
<br />
It would be better to restrict transfers to tools that require less infra structure and services, like SCP, SCP uses the same underlying protocol as SSH (SFTP uses the same, but is interactive). SCP it is just easier to manage as it is completely setup from the commandline therefore it also is easier to audit.<br />
SMB Should be encrypted as well so that firewall AV won't help at all. &nbsp; Getting the attack surface down to a single port is helpfull. (only port 22 open).<br />
<br />
Also SSL is not about &quot;Hiding&quot; data, if setup correctly it will also ensure the source &amp;&nbsp;destination are the intended ones, without someone snooping or changing data in the middle.
</div>


<div>
@J Spoor, &nbsp; there should be NO traffic TO the LAN , only traffic LEAVING the LAN.<br />
So no access from the outside and only port 22 (SCP) access &nbsp;FROM the LAN to one device outside.
</div>


<div>
Thank you all for your input <br />
<br />
I think I am not going to risk a audit and recommend a upgrade of the XP devices
</div>


<div>
<div class="content wysiwyg-content">
I need to keep networked 2 medical devices (Zeiss eye scanners) that run Win XP embedded. However HIPPA does not like XP. To upgrade to the latest would cost many thousands MANY.<br />
<br />
The devices just need to send a PDF to a network share. <br />
<br />
I am looking for the best way to segment out the XP machines and still satisfy HIPPA requirements.<br />
<br />
One thing I cant do is just unplug the network and use a usb drive because the devices are used many times a day and would hamper workflow.<br />
<br />
I have considered removing the gateway on the XP pcs and also adding strict firewall rules (sonicwall) <br />
<br />
Also thought of using a win 10 pc with 2 nics for 2 different subnets to act as a go between<br />
<br />
Any thoughts?<br />
<br />
Thanks
</div>
</div>


I need to keep networked 2 medical devices (Zeiss eye scanners) that run Win XP embedded. However HIPPA does not like XP. To upgrade to the latest would cost many thousands MANY.

The devices just need to send a PDF to a network share. 

I am looking for the best way to segment out the XP machines and still satisfy HIPPA requirements.

One thing I cant do is just unplug the network and use a usb drive because the devices are used many times a day and would hamper workflow.

I have considered removing the gateway on the XP pcs and also adding strict firewall rules (sonicwall) 

Also thought of using a win 10 pc with 2 nics for 2 different subnets to act as a go between

Any thoughts?

Thanks

I need to allow 2 medical devices  that run Win XP embedded on my network to send PDF files to a share. And have the solution satisfy HIPPA rules.

Microsoft Windows XP is the sixth release of the NT series of operating systems, and was the first to be marketed in a variety of editions: XP Home and XP Professional, designed for business and power users. The advanced features in XP Professional are generally disabled in Home Edition, but are there and can be activated. There were two 64-bit editions, an embedded edition and a tablet edition.

Windows XP

Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.

Networking

The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996. It has been known as the Kennedy–Kassebaum Act or Kassebaum–Kennedy Act after two of its leading sponsors. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.