How is this a security risk?

[notta 79]

We have an unusual request from a user. A user has a very expensive piece of laboratory equipment. The supplier of the instrument states that the software that controls the instrument cannot have updates or antivirus as it will interfere with communication. It is a one of a kind instrument and they state if those conditions are not met they will not support the device.

 

To make matters worse the user needs the foreign company to have remote access to the system to work on it as needed. Normally this would be a no, but this is a pretty important machine.

 

Obviously this seems like a network security nightmare but I can't think of a reason why it's a network security nightmare. Here are the details.

 

Note 3 - An unpatched, no antivirus, Windows XP system with 2 network cards, 1st NIC is a private IP that goes to the lab instrumentation and the 2nd NIC is another private IP that talks to a fully patched and secured Windows 10 system.

 

Note 2 - A fully patched, corporately approved Windows 10 system with 2 network cards. 1st NIC goes to the corporate network and the 2nd NIC is a private IP that talks to the Windows XP system. Essentially this is a jump box.

 

Note 1 - Outside company that needs remote access to the Windows XP machine. Company will remote into the fully secured Windows 10 machine. From there they will remote on the private side to the Windows XP machine.

 

In theory this sounds OK but I am still uneasy with this. There are some pretty smart people on here so I am asking how can this be exploited? Is there something I'm overlooking here?

 

Please focus on the tech as the political side I have no control over.

 

One more note. In the PIC below the instrumentation (4) should be going to the switch but you see my point. Also the switch could be replaced with a firewall to only allow 3389 from system 2 -> system 3

 

Edited September 16, 2019 by notta

[firey 4,153]

I am no expert when it comes to networks, but I guess as long as the unpatched machine can only be accessed via a patched machine and the unpatched machine isn't sitting on the network.. it shouldn't be too bad.  My thought though is that the secure machine should run a VM or something to ensure that the third party company doesn't actually have access to the network or anything (just direct connection to unpatched pc).  I would also have it so that the unpatched machine is actually also a VM and not just bare metal (if possible).

[sc302 1,792]

an unpatched machine sitting on the network is a point to where an attacker could eventually gain access to and run malicious code on.  If one machine is infected/compromised other machines on the network could also be compromised.   In my opinion, the compromised pc should exist on its own less secure subnet with no way to initiate communications outside of its subnet other than to an even less secure subnet, but in reality I would have that completely sectioned off with no outbound communication what so ever and have that as a less secure (untrusted) network so that it cannot initiate traffic to the more secure network.  

[goretsky 1,194]

Hello,

 

Because the company that makes/services the lab equipment is using Windows XP as the host controller for the lab equipment (STEM electron microscope?) which is horribly outdated and insecure, there is no reason to believe that their corporate security practices and standards are any more secure.  As such, I would suspect them of using outdated remote control software, (re)using easily-guessable passwords, and having a corporate network infrastructure that is vulnerable to compromise.  Allowing them into your network could be allowing malware such as ransomware in.  

I would strongly suggest placing the jump box on its on subnet/VLAN so its connectivity to the rest of your corporate network is minimized as much as possible.  Also, make sure network logs and the like from that subnet/VLAN are monitored continuously for signs of ingress by an attacker.

 

It may be a bit out of scope, since its more geared for SOHO and small business users, but here's a blog article and accompanying 48-page long paper I wrote on securing Windows XP last year:

 

Blog - The Last Windows XP Security White Paper

Paper: Windows XP Security [PDF]

 

There might be a few things in there still of use for this particular case.

Regards,

Aryeh Goretsky

[+BudMan 3,727]

How exactly are they remote to this win 10 box?  RDP?  Do you have that locked down to their source IP only?

 

As mentioned this win10 machine, and anything its connected to should be segmented off of your normal network.  And the only ones that should be able to access this win10 machine remote is this other company via secure method, if they are going to use just rdp for example - the firewall rules that allow this access should be limited to their source network/ip

 

Better would be VPN from them, and then only allowed to access this win 10 machine via rdp.

 

 

This would be better than your current setup.

 

BTW - this one of the reasons you don't expose RDP to the public net

https://www.zdnet.com/article/a-botnet-is-brute-forcing-over-1-5-million-rdp-servers-all-over-the-world/