What is whitelisting?

Anton P. | March 12, 2021

Whitelisting is a trust-centric practice in cybersecurity. It usually refers to the creation of exceptions for a specific rule. Let’s say you block all ads via ad blocker or different software. Whitelisting means you specify which entities retain their rights to display ads. Thus, whitelisting means defining which services get exclusive privileges while rejecting those outside the approved scope. We see the integration of this practice throughout the digital landscape: from websites, email services to VPNs.

Definition of whitelisting, its benefits and limitations

Whitelisting relies on lists containing trusted applications, IP addresses, or other resources. You essentially create an inner circle of items that devices or services treat as reliable regardless of baseline policies. In the real world, this cybersecurity practice mirrors VIP lists. Imagine going to an exclusive party. Vigilant guards check every person’s identity against a list of invited guests. If your name is on it, the guard will immediately let you enter. If guards do not find your name, they will deny you access to the VIP area. Whitelisting works the same way. If a specific process, person, or application is not among the pre-selected items, it bounces back.

The execution of whitelisting means that administrators create and maintain lists of approved items. However, it is not a universal option. Individual users or companies need to evaluate whether a trust-centric environment is a way to go.

  • On the one hand, whitelisting is incredibly useful in fixed situations when you clearly know which resources are trustworthy. For instance, email filtering could rely on whitelisting. In this case, you will receive email messages only from the entities you have listed as reliable. While such an approach is very likely to halt various phishing attacks, it has severe limitations. You won’t receive correspondence from any other entities unless you continuously update the whitelist. Additionally, perpetrators could also spoof email addresses. Unless proper configuration has been established by both parties, such whitelisting would be useless.
  • Whitelisting is also incapable of preventing all types of attacks alone. For instance, administrators could rely on approved IP addresses for verifying and granting access. However, IP address spoofing can be the downfall of such a system. Attackers could hide behind trusted IP addresses and trick systems into giving them access. To be fair, this threat is just as relevant to blacklisting. In the latter, perpetrators will spoof IP addresses to conceal those that the system blocks automatically.

Whitelisting vs. blacklisting: what is the difference?

If whitelisting is trust-centric, blacklisting is the opposite. It is threat-centric, meaning that you make a list of potential threats instead of defining reliable entities. An example of blacklisting would be the modification of the hosts file. If you use it to prevent specific websites, typically potentially dangerous ones, from loading, you perform blacklisting.

An example of whitelisting would be adding exceptions within your firewall, responsible for automatically blocking suspicious traffic. It prevents programs from communicating with the web, which, in some cases, will throttle malicious attempts. However, it could also disrupt the functionality of applications that contact the web for updates or other information. Then, you can decide to whitelist specific programs, giving them the right to bypass the firewall. Of course, you should perform whitelisting only for items that you completely trust to initiate legitimate communications.

Thus, blacklisting means that a system treats all traffic or resources as reliable except those listed as dangerous. Whitelisting creates an opposite environment that does not trust anything apart from specified entities.

Examples of whitelisting

Application

This routine means professional IT administrators in corporate scenarios specify which software applications or executables can run. It can protect computers from malware, keyloggers, ransomware, or other malicious payloads by halting their execution.

Companies might also integrate this approach in the devices supplied to their employees. Applications specified in whitelists will be the only tools available for use. Thus, employees won’t have the option of installing programs that are potentially dangerous or unlicensed. There are certain limitations to application whitelisting as well. Presumably, administrators or IT departments will need to update the lists of approved software continuously.

Email

Creating lists of trusted senders is also a possibility. However, the primary aim of such whitelisting might be to protect the integrity of emails received from trustworthy sources. You can ensure that correspondence from your colleagues or friends never ends up in the spam folder. Nevertheless, email whitelisting is also capable of fending off phishing and other fraudulent messages when combined with other means of security (such as DKIM and DMARC).

IP addresses

This type of whitelisting is prominent in business environments. Companies can define specific lists of IP addresses that have the right to access corporate servers and resources. Thus, this approach is crucial to granting access to those approved, especially when employees work remotely. However, administrators must warrant that the whitelisted IP addresses are statically assigned to the trusted networks. If not, other malicious parties could potentially get a hold of them.

Web traffic with a VPN

VPN tools can also support whitelisting, more commonly known as split tunneling. In this context, whitelisting means that you decide which web traffic flows through remote VPN servers and which does not. Typically, users should prefer full tunnels as they provide consistent and heavy-duty protection. On the providers’ end, such tunnels are also easier to set up. However, there are cases when you need to make exceptions. For instance, you could use split tunneling to retain access to local networks while protecting other activities simultaneously.

Split tunneling routes specific traffic through the traditional path: your router (if you have one) and your ISP (if it is a remote service). Thus, if traffic reaches ISPs, it might be vulnerable to interception, tracking, and other types of snooping attempts. Whenever possible, we recommend choosing full tunnels instead of splitting them. Atlas VPN does not support split tunneling at the moment. However, it supplies ceaseless protection for all your traffic, ensuring its integrity every step of the way.

Final notes

Whitelisting can be highly useful under particular circumstances. It can partake in the defence mechanisms against phishing, malicious software, or unauthorized access. Thus, we hope you are more familiar with this concept, and can also differentiate it from blacklisting.

Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.

Tags:

ip addressphishingsplit tunneling