Blacklisting vs. Whitelisting

To protect a device or network from potential threats, you need to control access. This requires a well-defined perimeter and ways to defend that perimeter. It also requires you to decide which entities should be allowed access and which should be blocked.

There are two primary approaches used to manage which entities get access to your system — blacklisting and whitelisting. Both methods have their pros and cons, and not everyone agrees on which is the best approach to use. The right choice depends mostly on your organization’s needs and goals, and, often, the ideal tactic is a combination of both. Let’s look at blacklisting and whitelisting in detail and discuss the differences between the two methods.

What Is Blacklisting?

The blacklisting approach involves defining which entities should be blocked. A blacklist is a list of suspicious or malicious entities that should be denied access or running rights on a network or system.

As an example out in the physical world, a border control authority might maintain a blacklist of known or suspected terrorists. A store owner might have a blacklist of shoplifters. In the world of network security, a blacklist often consists of malicious software such as viruses, spyware, Trojans, worms and other kinds of malware. You could also have a blacklist of users, IP addresses, applications, email addresses, domains, processes or organizations. You can apply blacklisting to virtually any aspect of your network.

You might identify suspicious or malicious entities by their digital signatures, heuristics, behaviors or by other means. To blacklist applications, organizations can create their own blacklists and also use lists created by third parties, such as network security service providers. Blacklisting is the traditional approach to access control and has long been used by anti-virus tools, spam filters, intrusion detection systems and other security software programs.

The blacklist approach is threat-centric, and the default is to allow access. Any entity not on the blacklist is granted access, but anything that’s known or expected to be a threat is blocked.

To sum up:

  • Blacklisting involves blocking access to suspicious or malicious entities.
  • The default is to allow access.
  • Blacklisting is threat-centric.

What Is Whitelisting?

Whitelisting tackles the same challenges as blacklisting but uses the opposite approach. Instead of creating a list of threats, you create a list of permitted entities and block everything else. It’s based on trust, and the default is to deny anything new unless it’s proven to be acceptable. This results in a much stricter approach to access control. It’s analogous to denying everyone access to your office building unless they can pass a background check and have the credentials to prove that they did.

If a firewall only allows particular IP addresses to access a network, for instance, it’s using the whitelisting approach. Another example that most people have dealt with is the Apple app store. The company only lets users run apps that Apple has approved and allowed into the app store.

The simplest technique you can use to whitelist applications is to identify them by their file name, size and directory path. The problem with this technique, though, is that hackers could create an app with the same file name and size as the whitelisted app, allowing it to slip into the system. To combat this possibility, you can use a stricter approach, which the U.S. National Institute of Standards and Technology (NIST) recommends. It involves using cryptographic hash techniques and the digital signatures of the manufacturer or developer of each component.

To create a whitelist for the network level, you need to consider all of the tasks that users need to perform and the tools they’ll need to complete them. This network-level whitelist may include network infrastructure, sites, locations, applications, users, contractors, services and ports as well as finer details such as application dependencies, software libraries, plugins, extensions and configuration files. On the user level, a whitelist might include email addresses, files and programs. Using the whitelist approach requires you to consider user activity as well as user privileges.

Organizations can create their own whitelists or work with third parties that typically create reputation-based whitelists and give ratings to software and other items based on their age, digital signatures and other factors.

To sum up:

  • Whitelisting involves only allowing access for approved entities.
  • The default is to block access.
  • Whitelisting is trust-centric.

What Is Graylisting?

Another technique that’s related to blacklisting and whitelisting but less frequently discussed is graylisting, also spelled greylisting. As its name suggests, it’s somewhere in between blacklisting and whitelisting. It’s typically used in tandem with at least one of these two main methods.

A graylist is a list where you can put items which you have not yet confirmed as either benign or malicious. Graylisted items are temporarily banned from accessing your system. After an item ends up in a graylist, you scrutinize it further or gather more information to determine whether it should be allowed or not. Ideally, things do not stay in a graylist for long and quickly move to either a blacklist or whitelist.

How you decide what to do with a graylisted item depends on the kind of entity it is. A security tool might, for instance, prompt the user or a network administrator to make a decision.

One example of the use of graylisting is in email. If a spam filter is unsure of whether to accept a message, it can temporarily block it. If the sender attempts to send the message again within a specified period, then it will be delivered. If not, it will reject the message. The thinking behind this is that most spam comes from applications designed to send spam, not actual users, so they won’t attempt to resend an email if they get a message saying it’s temporarily blocked. A real user, on the other hand, would send the email again.

Pros and cons:












Comments

Post a Comment

Popular posts from this blog

What is a Firewall and How Does It Work?

Image
  What is the firewall? Firewall is a protective layer. Based on the pre-configured rules, it monitors and controls each packet passing through it. Broadly there are two types of firewall; hardware firewall and software firewall. Hardware firewall In this type of firewall, firewall is installed in a dedicated device. This device only runs the firewall. Since all resources of the device are available only for the firewall, it filters the traffic blazingly fast and accurate. It also offers several additional security features such as encryption and logging. Hardware firewalls are complex in configuration. Only experienced network administrators can configure these firewalls. Besides configuration, hardware firewalls also cost a lot of money as they use dedicated device. Fast speed and max accuracy are the advantages of the hardware firewall while high cost and complex configuration are the disadvantages of this firewall. Software firewall In this type of firewall, firewall is install...
Read more

Hardenign Host security measures

PC are now pretty much synonymous with the internet, and the internet is also associated with a wild world of hackers, threats, and scams. If you know what it's like to deal with a PC that's in trouble because of a lack of security, you likely never want to experience it again. Even if you haven't yet had to deal, you'll have a much better chance of keeping your PC secure if you follow these tips. 1. Ensure Windows Defender is operating properly The Windows Defender Security Center is a native Windows 10 app that includes an antivirus, firewall, and more. These tools are designed to keep unwanted malware from getting onto your computer, to cleanse your PC when an infection occurs, and to keep malware that has made it onto your PC from communicating with the open internet. There are, of course,  plenty more antivirus options out there , but Windows Defender is a strong option. No antivirus is 100-percent effective, but it should give you some peace of mind knowing that ...
Read more