Varying level of whitelisting
There should be two levels of whitelisting. One should be category whitelist and the other should be security. Today if you whitelist an item, it will bypass security and category settings. If a page our company needs, say espn.com is blocked under games, whitelisting it today will allow anything that may compromise it in the future to get through b/c it is no longer being blocked by security settings. If there were two categories, we could unblock from all categories, but still prevent malicious activity if it becomes compromised in the future. If we are willing to take on that risk, then we could put it on the security whitelist.
-
Have you ever worked with a product that uses whitelisting for management that includes this two tiered approach? I certainly never have seen one.
The entire concept behind whitelisting is to deliberately tell the whatever (whatever it is) to not block or otherwise filter or analyze something (often programs, websites, or in this case, domains). In systems that filter or check several things it's possible that a whitelist might apply to one of them, but not another. However, OpenDNS only does one thing, filter domains based upon category or blacklist. The inherent assumption with whitelisting is that whoever is responsible for maintaining systems knows that the whitelist automatically bypasses at least some filtering, therefore they need to be very certain that it is not a likely vector for undesired behavior. It's also assumed that the whitelist will periodically reviewed for being still valid.
Considering that the entire OpenDNS filtering system is built upon categories and blacklisting domains, with whitelisting used to make exceptions for blocked categories, how would it detect, let lone prevent, malicious activity? The only data that OpenDNS receives from your network is a DNS lookup request, it doesn't know anything about websites, webpages, content, images, activity, or anything else that is not strictly and solely a domain name. I don't see how you can have some additional level of monitoring given such a structure. If you have concrete ideas of how such a thing can be accomplished please share them.
-
I want the ability to whitelist a site, regardless of future category, unless it's blocked for security concerns. A concrete idea how to complete this would be a nested if statement. If Blocked then (if category then unblock else block). There are already different behaviors that happen based on if the site is blocked under a security concern or a category concern. I don't ever want to whitelist something and security issues be bypassed, only categories.
-
There are exactly four security areas in OpenDNS' home versions:
- Conficker Virus infection
- IE Zero Day Exploit
- Phishing protection (mainly based on PhishTank.com)
- Rebind attacks
Let's take a domain example.com. Would this be ever used by Conficker? No! Conficker uses random generated domain names. Would this be ever infected by the IE Zero Day Exploint or Phishing? Hardly! Could it be used for rebind attacks? Yes, but I believe that rebind attacks protection already has priority over whitelisting.
So what?
Or are you using Umbrella? Then the situation is different, of course, but only then.
Please sign in to leave a comment.
Comments
4 comments