- What is allowlisting?
- What is blocklisting?
- Allowlisting vs. blocklisting
- Different types of allowlisting
- Types of email allowlisting
- How allowlisting works
- Why do we need allowlisting?
- Allowlisting best practices
- How to start allowlisting
What is allowlisting?
In security processes, an allowlist is a list of people and devices that can access the network. If someone can’t prove that they’re on the list, they can’t get in. While the term is used in a variety of settings, allowlisting’s meaning and definition is very similar regardless of the context. As the opposite of a blocklist, an allowlist ensures that only trusted parties can enter a restricted area.
In an IT context, the allowlisting practice allows approved applications, websites, or IP addresses to operate in a system or network. It is a more trust-centric and secure approach than blocklisting.
What is blocklisting?
As we’ve mentioned, blocklisting is the opposite of allowlisting. It grants network access to everyone except those on the list of banned users. On the surface, that sounds like a very similar system, but it has its drawbacks. While allowlisting allows you to control and monitor the list of specific users and devices that have access, keeping everyone else out, blocklisting can only protect you from known threats.
A good example of blocklisting is antivirus and anti-malware software. For example, NordVPN’s Threat Protection helps you identify malware-ridden files you may be downloading, stops you from landing on malicious websites, and blocks trackers and intrusive ads on the spot. In simple terms, it has a blocklist of cyberthreats and stops them before they can do real damage to your device.
Allowlisting vs. blocklisting
Blocklisting and allowlisting are two sides of the same coin. They both protect you from malicious apps, email addresses, IP addresses, and websites. However, they are based on different rules. A blocklist allows everyone except those on the list, and an allowlist blocks everyone except those on the list. Not only does a blocklist need constant updates, but it’s also more likely to let a previously unidentified bad actor slip through its defenses.
Is one better than the other? You shouldn’t discount blocklisting. After all, most antiviruses use it to keep systems safe. But due to the much stricter set of rules, allowlists provide more comprehensive security. Too many new viruses, vulnerabilities, and threats are discovered every day for blocklists to be effective. And let’s not forget about zero-day vulnerabilities, which don’t see the light of day yet are loved by hackers. Blocklists do not protect you from them, but allowlists might!
Different types of allowlisting
Here are the different types of allowlisting you can use to make your online experience safer and more secure.
By allowlisting email addresses, you’re telling your spam filters that these senders – and only these senders – are legitimate and whatever they send should be accepted. Such rules can be set by the user or the system administrator, or they can be outsourced to an external allowlist service provider.
Why allowlist emails? If you spend a lot of time using email, it can significantly boost your productivity. No one likes scrolling through a spam folder looking for an important contract they might’ve missed. It can also help you prevent phishing attacks. Getting tricked is easy, so not giving hackers a chance to reach your inbox may help you stay safe. However, one drawback of email allowlisting is that it will make it impossible for new contacts to reach you unless they’re added to the list.
Application allowlisting is a must in high-security environments. By putting applications or executable files on an allowlist, you instruct your device only to run these apps and to consider any other as malicious.
What threats does allowlisting fight? First, application allowlisting prevents hackers from executing their malware on your device, such as keyloggers spot a scam or ransomware. Of course, it’s not a foolproof security solution, either. Hackers can still exploit apps that are already on your device or get malware through the firewall inside legitimate software.
What you use allowlisting for depends on your system. Some OS already have antivirus and firewalls installed, while others may need you to choose the way to allowlist applications. Application allowlisting software analyzes various factors such as file names and sizes, cryptographic hashes, and digital signatures to identify acceptable and unacceptable applications.
You can also allowlist the behavior of the application, tell it what it “should” do, and block activity that isn’t allowed. If your device gets infected and someone tries to take over your software, allowlisting will stop them. It will simply shut down the app. In this case, you couldn’t use blocklisting because it would be almost impossible to list all the things your apps “shouldn’t do.”
Application control is sometimes mistakenly used to describe application allowlisting. Application control is a part of application allowlisting, but its rules are more lenient. It will stop your device from downloading apps that are not on the list, but it won’t stop you from running the app if it was already installed. It also doesn’t check the files’ authenticity. Application allowlisting, on the other hand, monitors your OS and blocks the execution of malicious code and files.
IP allowlisting is great for companies that need security and privacy. Site administrators can set IP allowlisting rules for their company’s servers or web servers so that only particular IPs can access them. For example, you might have a corporate application or a server you want to keep private and only allow your employees to access it — in this case, you would put their IPs on a list. However, their IPs would have to be static for the allowlist to work.
Advertising allowlisting is the process of allowing certain ads to reach the user while blocking all others. The most common example of advertising allowlisting is ad blockers. Ad blockers block all ads, but you can place certain websites on an allowlist so the blocker knows to keep showing their ads. This is a great way to support certain websites that you like.
Types of email allowlisting
Email allowlisting takes several forms:
Non-commercial allowlisting takes place when someone just wants to block spam emails. In this system, a sender must fit into a specific criteria to pass the allowlisting test. For example, their email should not be open relay, and they should have a static IP address.
Commercial allowlisting takes place when an internet service provider allows someone to bypass its allowlisting filters and send emails to its users (e.g., spam) for a certain fee. Then such paying entities can be sure that their content will reach the users because they’re buying their place on the allowlist.
How allowlisting works
Application allowlisting is the most common type, so we will briefly explain how it works. You can use third-party software or even the firewall on your system to implement this allowlisting procedure. Whatever app you choose, you must first identify all the applications you’ll need and create the allowlist.
Alternatively, the allowlisting can be based on an exemplary operating system, devoid of malware and unwanted software, as an allowlisting model for other systems. This method is convenient if a system doesn’t require much customization and uses the same set of applications.
As your application allowlisting software runs, it analyzes every app based on a number of factors, evaluates and prioritizes it to ensure that it’s legit and that hackers won’t be able to trick the allowlist to bypass it. Such software should also analyze the behavior patterns of approved applications to make sure adversaries do not manipulate them. To protect you from cyberthreats, its databases should be up to date and have the latest info on cryptographic hashes, libraries, scripts, and files.
However, allowlisting shouldn’t replace your other cybersecurity measures, and you shouldn’t ditch your antivirus software. They can all work in unison – blocklisting for your whole network and allowlisting at the application level.
Why do we need allowlisting?
Here are a few most common reasons for using allowlisting:
- Allowlisting is highly recommended for large corporations and SMEs, especially ones that need high security standards or have employees who connect to their network with personal devices.
- Allowlisting can protect your device from malware by stopping phishing emails and malvertising from reaching you.
- It can also protect a public device from the installation of insecure software. For example, if a person tries to install malware on a public computer, allowlisting software can block the installation process.
- Allowlisting can help you narrow down the IP and email addresses that can reach you or your website.
Allowlisting best practices
Allowlisting sounds simple on the surface, but if you allow too much, you’ll open up your system security to vulnerabilities. You also can’t be too strict, because allowing too little will prevent your system from working effectively, which will again likely weaken your security. Here are the allowlisting practices you should always follow:
- Understand your environment. Before implementing application allowlisting, create a comprehensive inventory of what applications are in use in your environment, who uses them, and what they are used for. This includes business applications, system utilities, drivers, and libraries.This knowledge will help you create a more effective and manageable allowlist.
- Establish a baseline. If you know how your system works on a normal day, you can spot abnormalities more easily. So establish a baseline of normal activities within your organization. While not every deviation will be a real threat, it’ll help you keep the system running smoothly.
- Log application executions. Allowlisting software can help you log all applications running on your system. Check this list regularly to ensure nothing is missing from your initial inventory.
- Design specific rules, but plan for exceptions. The more specific rules you create, the less chance you have of malicious software sneaking through. But make sure to also have a clear plan on how to handle exceptions.
How to start allowlisting
How do you create an application allowlist? Depending on the size of your company, you may start with an email or website allowlist or use it on a much larger scale. But you should start this process each time by monitoring and evaluating your current situation. For example, you can log who sends you emails and try to decide whether they can keep doing so.
However, large corporations are advised to turn to more comprehensive allowlist technologies. Such software can create lists by scanning your network and finding applications you currently use. It also allows you to add websites, apps, or IPs to your list whenever you decide to. Some will also help you to check for the latest updates and will help you track incident responses.