Excellent discussion of whitelisting vs. blacklisting. In theory, it’s clear which approach is more appropriate for a given situation. For example:
Physical security works generally on a whitelist model: if you have a key, you can open the door; if you know the combination, you can open the lock. We do it this way not because it’s easier — although it is generally much easier to make a list of people who should be allowed through your office door than a list of people who shouldn’t–but because it’s a security system that can be implemented automatically, without people.
In corporate environments, application control, if done at all, has been done with blacklists, it seems to me, mainly because whitelisting was simply too difficult. In other words, in theory white listing is the right thing to do, but in practice the tools were simply not there.
However, this is changing. Next Generation Firewalls hold the promise of application whitelisting. If the NGFW can identify and classify all of the applications traversing the organization’s network, then you have the visibility to implement application whitelisting.
The advantage of network-based application whitelisting is that you get off the treadmill of needing to identify every new potentially malicious application and adding it to the blacklist.
The objective is that the last firewall policy rule is, “If application is unknown, then block.” At that point you have returned to the Positive Control Model for which firewalls were conceived.