Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-13-2014 02:22 AM
Hi there,
Like most people I know, everyone has at least 1 windows xp computer on their network. Due to the nature of our business we have a few (some due to legacy apps). But my question is that, come April and Microsoft's cut off point for support, will having one of these operating sytems behind a Palo Alto firewall that has Anti-virus and threat&app detection be enough? Obviously all the systems are running anti-virus. But if the media is to be believed come April the only way a Windows XP computer will be safe from attack is it if was completely offline.
Whereas I like to think, if the firewall is secure enough and the rules are tightly controlled as to what is allowed in and out, it should not be a problem.
What are the communities thoughts on this?
02-13-2014 05:10 PM
JRussell,
We have done some root analysis associated with Wildfire triggered events and one of the largest causes is the clicking of links in personal based email services (hotmail, yahoo-email and general webmail services). These accounted for 40 - 45% of our sample base of over 400 events. The other big category is drivebuys while doing non work related surfing. An approach to address these two major risks, especially for XP computers, would greatly reduce the incremental risk to those computers post April 2014. By using the capabilities of PA more forcefully (especially for XP hosts) you can reduce the risk to them from internet based threats. Understanding that you can globally block web-mail while allowing business required access to web-mail via AD group membership. I hope this provides some ideas to work with.
Phil
02-13-2014 05:46 AM
I would like to know if it is possible to create a rule to block all traffic from Windows XP clients to the internet, so we are a bit more secure 
02-13-2014 07:44 AM
my opinion is that PA-antivirus and threat&app detection for XP-Clients is best what could be done if XP needs access to the internet because the protection will be updated often. To prevent access for XP a custom-app could be created searching for "Windows NT 5.1" in the user-agent of http-get-request. otherwise all IP's should be known.
HTH
02-13-2014 05:10 PM
JRussell,
We have done some root analysis associated with Wildfire triggered events and one of the largest causes is the clicking of links in personal based email services (hotmail, yahoo-email and general webmail services). These accounted for 40 - 45% of our sample base of over 400 events. The other big category is drivebuys while doing non work related surfing. An approach to address these two major risks, especially for XP computers, would greatly reduce the incremental risk to those computers post April 2014. By using the capabilities of PA more forcefully (especially for XP hosts) you can reduce the risk to them from internet based threats. Understanding that you can globally block web-mail while allowing business required access to web-mail via AD group membership. I hope this provides some ideas to work with.
Phil
02-13-2014 06:00 PM
I agree with HitsSec that the primary threats will be the webmail and web browsing. So these can continue to be mitigated via the standards settings you deploy on the Palo Alto.
And April is not really any different than today. The real difference starts to build in May the first month without new updates. And the degree of the boost is only as large as the number of NEW vulnerabilities found and patched everywhere but on XP. Then this threat will continue to build as each month passes.
Everyone will have to make their determination of how large that risk is compared to the expense of migration for the affected workstations.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
