Whitelisting and Blacklisting

Implementing Detective and Preventive Measures 
767
However, if an application is infected with a virus, the virus effectively changes the 
hash, so this type of whitelist blocks infected applications from running too. (Chapter 6, 
“Cryptography and Symmetric Key Algorithms,” covers hashing algorithms in more depth.) 
The Apple iOS running on iPhones and iPads is an example of an extreme version of 
whitelisting. Users are only able to install apps available from Apple’s App Store. Personnel 
at Apple review and approve all apps on the App Store and quickly remove misbehaving 
apps. Although it is possible for users to bypass security and jailbreak their iOS device, 
most users don’t do so partly because it voids the warranty. 
Jailbreaking removes restrictions on iOS devices and permits root-level 
access to the underlying operating system. It is similar to rooting a device 
running the Android operating system.
Blacklisting is a good option if administrators know which applications they want to 
block. For example, if management wants to ensure that users are not running games on 
their system, administrators can enable tools to block these games.
Firewalls 
Firewalls provide protection to a network by fi ltering traffi c. As discussed in Chapter 11, 
fi rewalls have gone through a lot of changes over the years. 
Basic fi rewalls fi lter traffi c based on IP addresses, ports, and some protocols using proto-
col numbers. Firewalls include rules within an ACL to allow specifi c traffi c and end with an 
implicit deny rule. The implicit deny rule blocks all traffi c not allowed by a previous rule. 
For example, a fi rewall can allow HTTP and HTTPS traffi c by allowing traffi c using TCP 
ports 80 and 443, respectively. (Chapter 11 covers logical ports in more depth.) 
ICMP uses a protocol number of 1, so a fi rewall can allow ping traffi c by allowing traf-
fi c with a protocol number of 1. Similarly, a fi rewall can allow IPsec Encapsulating Security 
Protocol (ESP) traffi c and IPsec Authentication Header (AH) traffi c by allowing protocol 
numbers 50 and 51, respectively. 
The Internet Assigned Numbers Authority (IANA) maintains a list of well-
known ports matched to protocols. IANA also maintains lists of assigned 
protocol numbers for IPv4 and IPv6.
Second-generation fi rewalls add additional fi ltering capabilities. For example, an 
application-level gateway fi rewall fi lters traffi c based on specifi c application requirements 
and
circuit-level gateway fi rewalls
fi lter traffi c based on the communications circuit. Third-
generation fi rewalls (also called
stateful inspection fi rewalls
and dynamic packet fi ltering 
fi rewalls) fi lter traffi c based on its state within a stream of traffi c. 
A
next-generation fi rewall
functions as a
unifi ed threat management (UTM)
device and 
combines several fi ltering capabilities. It includes traditional functions of a fi rewall such 
as packet fi ltering and stateful inspection. However, it is able to perform packet inspection 

768
Chapter 17 
■
Preventing and Responding to Incidents
techniques, allowing it to identify and block malicious traffic. It can filter malware using 
definition files and/or whitelists and blacklists. It also includes intrusion detection and/or 
intrusion prevention capabilities.

Download 19,3 Mb.

Do'stlaringiz bilan baham: