Come April will PA firewall be enough?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

Come April will PA firewall be enough?

Hi there,

Like most people I know, everyone has at least 1 windows xp computer on their network. Due to the nature of our business we have a few (some due to legacy apps). But my question is that, come April and Microsoft's cut off point for support, will having one of these operating sytems behind a Palo Alto firewall that has Anti-virus and threat&app detection be enough? Obviously all the systems are running anti-virus. But if the media is to be believed come April the only way a Windows XP computer will be safe from attack is it if was completely offline.

Whereas I like to think, if the firewall is secure enough and the rules are tightly controlled as to what is allowed in and out, it should not be a problem.

What are the communities thoughts on this?


Accepted Solutions
Highlighted
L4 Transporter

JRussell,

We have done some root analysis associated with Wildfire triggered events and one of the largest causes is the clicking  of links in personal based email services (hotmail, yahoo-email and general webmail services).  These accounted for 40 - 45% of our sample base of over 400 events. The other big category is drivebuys while doing non work related surfing.  An approach to address these two major risks, especially for XP computers, would greatly reduce the incremental risk to those computers post April 2014. By using the capabilities of  PA more forcefully (especially for XP hosts) you can reduce the risk to them from internet based threats.  Understanding that you can globally block web-mail while allowing business required access to web-mail via AD group membership.  I hope this provides some ideas to work with.

Phil

View solution in original post


All Replies
Highlighted
L1 Bithead

I would like to know if it is possible to create a rule to block all traffic from Windows XP clients to the internet, so we are a bit more secure :smileyhappy:

Highlighted
L4 Transporter

my opinion is that PA-antivirus and threat&app detection for XP-Clients is best what could be done if XP needs access to the internet because the protection will be updated often. To prevent access for XP a custom-app could be created searching for "Windows NT 5.1" in the user-agent of http-get-request. otherwise all IP's should be known.

HTH

Highlighted
L4 Transporter

JRussell,

We have done some root analysis associated with Wildfire triggered events and one of the largest causes is the clicking  of links in personal based email services (hotmail, yahoo-email and general webmail services).  These accounted for 40 - 45% of our sample base of over 400 events. The other big category is drivebuys while doing non work related surfing.  An approach to address these two major risks, especially for XP computers, would greatly reduce the incremental risk to those computers post April 2014. By using the capabilities of  PA more forcefully (especially for XP hosts) you can reduce the risk to them from internet based threats.  Understanding that you can globally block web-mail while allowing business required access to web-mail via AD group membership.  I hope this provides some ideas to work with.

Phil

View solution in original post

Highlighted
L7 Applicator

I agree with HitsSec that the primary threats will be the webmail and web browsing.  So these can continue to be mitigated via the standards settings you deploy on the Palo Alto.

And April is not really any different than today.  The real difference starts to build in May the first month without new updates.  And the degree of the boost is only as large as the number of NEW vulnerabilities found and patched everywhere but on XP.  Then this threat will continue to build as each month passes.

Everyone will have to make their determination of how large that risk is compared to the expense of migration for the affected workstations.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!