IP Blacklist versus IP Whitelist on a Firewall?

While configuring a firewall for security we have the choice between two policies

- configure the Firewall to allow all traffic, and block traffic only for known bad IP addresses

- configure the Firewall to stop all traffic, and allow traffic to only known good IP addresses

The second option where the Firewall is configured to only allow traffic to known good hosts is inherently a safer option. There is a greater likelihood that our IP whitelist contains only good hosts as compared with our IP blacklist contains all bad hosts.

The problem with adopting a whitelist approach is that we are unable to access the resources of the Internet. For example if we do a web search, we will not be able to access most of the search results because our IP whitelist will not have the IP addresses of the search results.

One possible solution is to divide our internal network into two segments. This approach can be implement on an individual machine also as we will show later. One segment is for the computers that we use to do our important work. The other segment is for computers that we use to do general browsing.

The two segments are isolated from each other so that data from the work segment cannot be accessed by computers on the browse segment. This means that even if a computer on the browse segment is compromised, it cannot access and leak valuable work data.

Once we are sure that a site is genuine and needs to be regularly accessed by work computers, we can whitelist the site and allow it access from the work computers.

On an individual computer we can implement this approach using virtual machines. We install a firewall and a virtual machine on the computer. The virtual machine is used for general Internet browsing while the host machine is used for sensitive work. Instead of using the host machine for work we can also use a second, separate virtual machine for work purposes.

We use the whitelist approach for the work machine and the blacklist approach for the browsing machine running on the computer just as before.