topic Re: Come April will PA firewall be enough? in General Topics

Come April will PA firewall be enough?

JRussell — Thu, 13 Feb 2014 10:22:25 GMT

Hi there,

Like most people I know, everyone has at least 1 windows xp computer on their network. Due to the nature of our business we have a few (some due to legacy apps). But my question is that, come April and Microsoft's cut off point for support, will having one of these operating sytems behind a Palo Alto firewall that has Anti-virus and threat&app detection be enough? Obviously all the systems are running anti-virus. But if the media is to be believed come April the only way a Windows XP computer will be safe from attack is it if was completely offline.

Whereas I like to think, if the firewall is secure enough and the rules are tightly controlled as to what is allowed in and out, it should not be a problem.

What are the communities thoughts on this?

Re: Come April will PA firewall be enough?

mtijhoff — Thu, 13 Feb 2014 13:46:22 GMT

I would like to know if it is possible to create a rule to block all traffic from Windows XP clients to the internet, so we are a bit more secure

Re: Come April will PA firewall be enough?

kdd — Thu, 13 Feb 2014 15:44:00 GMT

my opinion is that PA-antivirus and threat&app detection for XP-Clients is best what could be done if XP needs access to the internet because the protection will be updated often. To prevent access for XP a custom-app could be created searching for "Windows NT 5.1" in the user-agent of http-get-request. otherwise all IP's should be known.

HTH

Re: Come April will PA firewall be enough?

HITSSEC — Fri, 14 Feb 2014 01:10:51 GMT

JRussell,

We have done some root analysis associated with Wildfire triggered events and one of the largest causes is the clicking of links in personal based email services (hotmail, yahoo-email and general webmail services). These accounted for 40 - 45% of our sample base of over 400 events. The other big category is drivebuys while doing non work related surfing. An approach to address these two major risks, especially for XP computers, would greatly reduce the incremental risk to those computers post April 2014. By using the capabilities of PA more forcefully (especially for XP hosts) you can reduce the risk to them from internet based threats. Understanding that you can globally block web-mail while allowing business required access to web-mail via AD group membership. I hope this provides some ideas to work with.

Phil

Re: Come April will PA firewall be enough?

pulukas — Fri, 14 Feb 2014 02:00:56 GMT

I agree with HitsSec that the primary threats will be the webmail and web browsing. So these can continue to be mitigated via the standards settings you deploy on the Palo Alto.

And April is not really any different than today. The real difference starts to build in May the first month without new updates. And the degree of the boost is only as large as the number of NEW vulnerabilities found and patched everywhere but on XP. Then this threat will continue to build as each month passes.

Everyone will have to make their determination of how large that risk is compared to the expense of migration for the affected workstations.