Jump to content

Whitelist vs Blacklist approach (HIPS and Firewall) inquiry


Recommended Posts

Basically, what I would like to do is lock down the system as much as possible so that if an attack does occur, I have layers of security for the attacker to break through. In other words, I would like to whitelist individual applications to use system resources instead of blacklisting, which seems to be ESET's default approach.

The firewall is the easiest to work with in that regard. If I were using iptables, my rules might look like:
:INPUT DROP [2:80]
:OUTPUT DROP [8:903]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -m owner --uid-owner 0 -j ACCEPT

The difference between those iptables chains and what I would want to implement is the OUTPUT whitelist being application specific, rather than user specific.
This would require an attacker migrate to (or exploit) a network allowed process before being able to gain a shell into my system. Therefore, the next step is to lock down process migration. I would like to apply a similar whitelist policy to HIPS rules, allowing only programs that need access to specific resources to have them. If that can be done, even if someone runs a backdoor executable on my system, they won't be able to migrate to a process necessary to carry out the rest of the attack. That covers most defenses. What would be left would be vulnerabilities in ESET, physical attacks, vulnerabilities in allowed applications, phishing, etc.
There is a problem with this approach in that all OS processes would need to be manually whitelisted so as to avoid breaking the OS. However, this does allow restricting things like Cortana from working, which might be desirable.


How would I implement a system like this in ESET's policies for Windows and Linux?
Windows Firewall settings make sense enough. However, the HIPS rules are missing the same up and down arrows that are present on the firewall UI. The same applies to the Linux Firewall Profile Rules as well. Below are screenshots showing the missing buttons.

Also if there is any online documentation that anyone can suggest would be most helpful as well. 


Link to comment
Share on other sites

3 hours ago, tmuster2k said:

However, the HIPS rules are missing the same up and down arrows that are present on the firewall UI.

Eset HIPS rules are not positionally sensitive. All allow rules are executed prior to ask and block rules. Therefore, rule ordering is immaterial. It does however prevent ordering of rules in a user desired order such as grouping related rules together for easy discovery purposes.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...