Varying level of whitelisting

Comments

4 comments

  • Avatar
    sloank

    I want the ability to whitelist a site, regardless of future category, unless it's blocked for security concerns. A concrete idea how to complete this would be a nested if statement. If Blocked then (if category then unblock else block).  There are already different behaviors that happen based on if the site is blocked under a security concern or a category concern. I don't ever want to whitelist something and security issues be bypassed, only categories.

    1
    Comment actions Permalink
  • Avatar
    sloank

    Thanks rotblitz. We are using umbrella in a corporate environment.

    1
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Have you ever worked with a product that uses whitelisting for management that includes this two tiered approach? I certainly never have seen one.

    The entire concept behind whitelisting is to deliberately tell the whatever (whatever it is) to not block or otherwise filter or analyze something (often programs, websites, or in this case, domains). In systems that filter or check several things it's possible that a whitelist might apply to one of them, but not another. However, OpenDNS only does one thing, filter domains based upon category or blacklist. The inherent assumption with whitelisting is that whoever is responsible for maintaining systems knows that the whitelist automatically bypasses at least some filtering, therefore they need to be very certain that it is not a likely vector for undesired behavior. It's also assumed that the whitelist will periodically reviewed for being still valid.

    Considering that the entire OpenDNS filtering system is built upon categories and blacklisting domains, with whitelisting used to make exceptions for blocked categories, how would it detect, let lone prevent, malicious activity? The only data that OpenDNS receives from your network is a DNS lookup request, it doesn't know anything about websites, webpages, content, images, activity, or anything else that is not strictly and solely a domain name. I don't see how you can have some additional level of monitoring given such a structure. If you have concrete ideas of how such a thing can be accomplished please share them.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    There are exactly four security areas in OpenDNS' home versions:

    1. Conficker Virus infection
    2. IE Zero Day Exploit
    3. Phishing protection (mainly based on PhishTank.com)
    4. Rebind attacks

    Let's take a domain example.com.  Would this be ever used by Conficker?  No!  Conficker uses random generated domain names.  Would this be ever infected by the IE Zero Day Exploint or Phishing?  Hardly!  Could it be used for rebind attacks?  Yes, but I believe that rebind attacks protection already has priority over whitelisting.

    So what?

    Or are you using Umbrella?  Then the situation is different, of course, but only then.

    0
    Comment actions Permalink

Please sign in to leave a comment.