Application Blocking: Whitelists Worse than Blacklists

Occasionally I’ve argued that it would be good if ISPs blocked badly configured computers. By that I meant blacklisting computers that were especially badly configured, having well-known security holes or actively spewing actual malware.

Even that has problems. Already, ISPs are hair-trigger to block anything that looks like it might be doing a port scan, even though it turns out port scans do not correlate with exploits (see later post). Regular traceroutes to your friends’ locations could get you tossed off. Others will block if your outgoing packet rate goes above some arbitrary minimum. So much for your fast-paced game.

White listing of only acceptable applications would be even worse.

Vendors call them by different names, but all use an agent on the client to verify its configuration. If the agent reports software (or in more advanced versions, hardware) that isn’t on a white list, access is denied.
Will ISPs Quarantine You From the lnternet? Microsoft is against ISPs doing anything that would restrict customers’ right to run insecure software. By Andy Dornan 1 Jan 2006, 12:00 AM ET

I’d like to believe that won’t happen, but given the way some ISPs already run turnkey software that springs bogus traps such as I already mentioned,  I can’t say it won’t.

Andy Dornan spells out some problems with such a white list approach:

Access control agents have two big practical problems on a private network, both of which are more serious on the wider Internet: Not all clients can run the agents, and new programs not yet certified malware-free won’t be on the white list. Worse, ISPs might base their lists on commercial considerations. So while custom enterprise applications are locked out, Sony’s rootkit gets through.

Dornan points out that the one strong voice against such application whitelisting is Microsoft. He claims he’s not cynical enough to believe that Microsoft is taking that stand because it’s obvious to everyone that IE and Outlook would be the first applications banned. Maybe Microsoft has other motives, such as wanting to promote its locally installed software with updates over the Internet.

Whatever its motives, it’s good to see Microsoft on the open side for once.


PS: Thanks to Johnny for the pointer.