Whitelisting vs. Blacklisting: The Ultimate Manual

These days there are significant challenges to network security. In an effort to reduce security breaches, some teams turn to solutions that rely on the double-barreled approach of whitelisting and blacklisting.

This approach helps to determine which apps, IP addresses, and utilities outside the organization should receive access to the system and which should remain blocked.

What Are Whitelisting and Blacklisting Anyway?

Before choosing to deploy these security techniques to secure your business network, it’s worthwhile to explore each technique and which types of networks work best with them.

What Is Whitelisting?

Whitelisting involves creating a list of trusted applications or websites that have permission to operate and function within the network. The default with whitelisting is to block access to all other applications or to assume all applications outside the list represent a threat. Those off-the-list apps have to earn your trust to be able to access the network.

Some network administrators prefer whitelisting because it represents a high level of default security. It also can be very easy and straightforward to simply allow a limited number of trusted applications to have access and block all others.

Disadvantages of whitelisting include:

• Requires more hands-on human decision-making and time than the automating of blacklisting functions.
• Some essential applications may not be part of the whitelist, leaving employees unable to do their work.
• Whitelisting rules that are too broad could allow malicious applications to gain access anyway.

What Is Blacklisting?

Blacklisting is the opposite of whitelisting–instead of allowing only a few apps access to the network and blocking all others by default, blacklisting welcomes all apps by default and only blocks a selected list. You can create your own list of blacklisted applications, or you can rely on a list that a third-party entity creates, which is what occurs with antivirus software.

Through blacklisting, your network has a list of all applications, executable files, IP addresses, and websites known to pose a risk. It then simply blocks those items from gaining access. Blacklisting is popular because of the simplicity with which you can deploy it.

Some disadvantages of blacklisting include:

• When the list of blacklisted items is not up to date, newer malicious applications may gain access to the network.
• It’s impossible to fully trust blacklisting because some malware packages could perform the attack before they go onto the list (called zero-day threats).
• Blacklisting does little to protect networks and companies who suffer targeted attacks attempting to steal data.
• Some hackers may learn about the automated steps a software package uses in blacklisting and then specifically may design malware that works around these steps.

What Is Graylisting?

When creating IT security policies involving whitelisting versus blacklisting, you may rely on one or the other alone. Or you may prefer to use a combination of the two, often called graylisting.

Through graylisting, you would whitelist some items, giving them access to the network, and blacklist some items, blocking them from gaining access to the network. You also can create your own graylist, which are items that need further study before whitelisting or blacklisting them.

You can automate some graylisting processes. For example, when the network receives an email message that looks like spam, it may place the message in a graylist holding area.

You then could manually check every email in the holding area. Or, through automation, you could instruct your spam filter to wait to see if the sender attempts to resend the message within a certain time, such as 48 or 72 hours. If so, the system may assume the sender is legitimate and place this email address on a whitelist. (Spammers rarely resend the same message if the recipient ignores the first message.)

How Whitelisting and Blacklisting Work

Because entities and applications have to prove themselves trustworthy for whitelisting, some network administrators prefer it. Whitelisting arguably keeps the network safer, because fewer applications gain access to it.

When network administrators want to allow employees to work more efficiently, they may prefer blacklisting. Because blacklisting assumes all applications are trustworthy, no application becomes blocked inadvertently.

When It’s Best to Use Whitelisting

If you want to make your network completely private with no unintended vendors or other people gaining access to it, whitelisting often is the better choice. With a private network, you have a better handle on exactly which entities and applications need access.

Additionally, a private network probably will have a smaller number of applications and IP addresses that need access, which simplifies the process of deploying whitelisting.

When determining which entities may function under whitelisting, certain file names or vendors may receive trusted status. You also may rely on the digital certificate of a website to ensure it meets the criteria for whitelisting status.

You can create your own whitelist of allowed applications, or you can rely on third parties to create the whitelist for you. These third parties often create whitelists based on the reputation of certain entities, rather than personalizing the list to your organization’s specific needs.

When It’s Best to Use Blacklisting

Larger networks tend to need to rely on blacklisting because blacklisting can run on an automated basis with very little intervention from those running the network. The blacklisting tools will monitor the network, looking for items on the blacklist that they can remove or block.

You can set up the blacklisting process to engage the block before the network makes contact with certain IP addresses or with certain entities. This provides a greater level of safety, as employees cannot carelessly give permission to access the network to a dangerous application for a brief time before the network engages the block.

Blacklisting can work with malware, executables, email addresses, IP addresses, or entire domains. Blacklisting allows the network to block any offenders, including removing the trust the network had in a previous IP address or executable file.

If you do not want to run the risk of blocking an important website or piece of software from your employees, blacklisting is the better choice. Employees always will have access to the applications they need, unless those applications receive a blacklisting. With whitelisting, you would need to give trust to every application that employees use, which could be almost impossibly time-consuming in a large group.

Example 1: Using Whitelisting to Allow Certain IP Addresses

Whitelisting is a useful tool when deciding to allow network access to specific IP addresses. Once you know that a certain IP address is safe, just add it to the whitelist, and the network will continue to allow users to send and receive data from it.

IP whitelisting tends to work better with smaller networks that don’t send and receive a lot of data. Larger networks that generate significant amounts of web traffic may interact with so many IP addresses every day that attempting to whitelist all of them is not practical.

Another potential problem with IP whitelisting occurs when sites use a dynamic IP address, which means the IP address will change. Because of these changes, the whitelisting process will not work. IP whitelisting only works for static IP addresses, which do not change.

When employees are making a connection with the network from remote devices, it is likely they will be using dynamic IP addresses, for example.

You may work around this problem by having remote employees connect to a VPN server, which then connects to the network. The VPN server can have a static IP address, which allows the network to make use of IP whitelisting. The remote employees will have a safe and secure connection through the VPN server.

Example 2: Using Blacklisting with Antivirus Software

Antivirus software monitors incoming traffic to the network, as well as monitoring the network itself, scanning for unsafe files. When antivirus software is running, it uses blacklisting techniques to attempt to catch unsafe applications and software before they reach the network.

For the majority of antivirus software packages, the software manufacturer creates a list of known threats to networks. It then places those threats in a blacklist that the antivirus software uses. The antivirus software compares all potential items entering the network to the blacklist. If an item is on the blacklist, the antivirus software removes or blocks it from gaining network access.

Antivirus software packages must continually receive updates to their blacklists. The manufacturer must add new threats as it discovers them to give the network the greatest level of protection.

However, a lag will always exist from the time the antivirus manufacturer discovers a new item that needs blacklisting to the time the antivirus software begins eliminating or blocking it. Unfortunately, if your network suffers an attack from a new malware item before it goes onto the blacklist, your antivirus software using blacklisting will not have the protection for the network.

How to Get Started With Whitelisting vs. Blacklisting

In our example, we’ll focus on the five recommended steps for developing a thorough whitelisting process solution.

Step 1: Initiating the Whitelisting Solution

You and your security team should start the whitelisting process by identifying the needs and desires for the performance of the solution. The team should determine the requirements needed for the whitelisting solution and then develop the policies that lead to that solution.

As part of the initial process, you should consider what kind of threats your organization faces the majority of the time and create policies that handle those types of threats. If you are adding technology and software to the network to handle the whitelisting solution, you should identify some of the best packages during this phase.

You also should determine whether your goal involves maximizing security, maximizing the usability of the network, or deploying a mixture of the two.

When considering what type of whitelisting policies to develop, you should take into consideration any whitelisting requirements your organization’s clients have for you.

Step 2: Designing the Whitelisting Solution

The design phase involves determining how you and your team will manage the whitelisting solution. Any security policies or management solutions needed for whitelisting should be part of the design phase.

Some of the items that will be part of the design phase include:

• Architecture of the solution: You need to consider the software and hardware solutions required to deploy the whitelisting solution and to manage it at a centralized location.
• Management of the whitelist: You need to figure out how to create the initial list of whitelisted entities, as well as how to manage the list and to make adjustments in the future.
• Policy for security measures: Depending on the needs of clients, you may need to select a cryptographic module that contains NIST-recommended algorithms.

As a final aspect of the design phase, teams should give themselves a means of updating the security measures in the future as newer and more secure algorithms become available.

Step 3: Testing the Whitelisting Solution

Once the design is in place, you and your team should create a prototype of the solution. You then can run the prototype through the testing phase, looking for weak spots as well as spots that are especially fortified. Through testing, you can measure the security performance of the solution, as well as its usability.

Testing should check the basic functionality of the whitelisting solution, including the ability of the applications on the whitelist to operate properly. You and your team should test how easy it is to make administrative changes to the system and to perform other common tasks as well.

It is important to create a thorough testing environment for the whitelisting solution. Without proper testing before deployment, significant flaws or errors could end up being in the solution, leading to disastrous results on the network upon deployment.

Step 4: Deploying the Whitelisting Solution

After fixing any weak spots and enhancing the performance of the whitelisting solution, you and your team are ready to deploy it. You should gradually deploy the solution throughout the network. Should any error occur during this deployment, it will be easier to find the part of the solution that caused the error through a gradual deployment.

You even may choose to gradually roll out the whitelisting solution over a series of days and weeks. For a complex solution, it can be helpful to elongate the deployment, giving you and your team time to train everyone on using one step of the system before advancing to the next step in the deployment.

Step 5: Managing the Whitelisting Solution

Once you are running the whitelisting solution, management will be ongoing. You and your team will have to manage any issues that arise and make adjustments. Should employees find it difficult to use applications they need to do their work, you will have to make adjustments to the allowed applications on the whitelist, for example.

You will need to manage and update security policies and software solutions related to the whitelist. You also will need to adjust the whitelisting solution as new applications, cryptography requirements, and software solutions become available.

What about Blacklisting?

The great thing about the above process is that it’s basically identical for blacklisting. You’ll follow the same five steps of initiating, designing, testing, deploying, and managing your blacklisting solution. The only difference will be that for blacklisting, you’ll consider which entities are blocked rather than which ones are let through.