End-of-Life (EoL)
Application
Whitelist Example
Keep in mind that you do not need to capture every application
that might be in use on your network in your initial inventory.
Instead you should focus here on the applications (and general types
of applications) that you want to allow. Temporary rules in the
best practice rulebase will catch any additional applications that
may be in use on your network so that you are not inundated with
complaints of broken applications during your transition to application-based
policy. The following is an example application whitelist for an
enterprise gateway deployment.
Application Type | Best Practice for
Securing |
---|---|
Sanctioned Applications | These are the applications that your IT
department administers specifically for business use within your
organization or to provide infrastructure for your network and applications.
For example, in an internet gateway deployment these applications
fall into the following categories:
|
General Types of Applications | Besides the applications you officially
sanction and deploy, you will also want to allow your users to safely
use other types of applications:
The
recommended approach here is to begin with wide application filters
so you can gain an understanding of what applications are in use
on your network. You can then decide how much risk you are willing
to assume and begin to pare down the application whitelist. For example,
suppose you find that Box, Dropbox, and Office 365 file-sharing
applications are all on use on your network. Each of these applications
has an inherent risk associated with it, from data leakage to risks
associated with transfer of malware-infected files. The best approach
would be to officially sanction a single file-sharing application
and then begin to phase out the others by slowly transitioning from
an allow policy to an alert policy, and finally, after giving users
ample warning, a block policy for all file sharing applications
except the one you choose to sanction. In this case, you might also
choose to enable a small group of users to continue using an additional
file-sharing application as needed to perform job functions with
partners. |
Custom Applications Specific to Your Environment | If you have proprietary applications on
your network or applications that you run on non-standard ports,
it is a best practice to create custom applications for
them. This way you can allow the application as a sanctioned application
and lock it down to its default port. Otherwise you would either
have to open up additional ports (for applications running on non-standard
ports), or allow unknown traffic (for proprietary applications),
neither of which are recommended in a best practice Security policy. |
Recommended For You
Recommended Videos
Recommended videos not found.