My organization's security budget is strapped, but we still need to improve our firewall performance. I've read that free blacklists can be used along with firewall data to spot otherwise unnoticed attacks. Is this true? What should organizations look for in a free website blacklist?
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
In short, yes, this is true. If your organization's firewall is behind the times, or if you simply don't have the manpower to devote to the proper maintenance of the firewall, a temporary work-around is to utilize your firewall in conjunction with an open source website blacklist.
A good example of this is the OpenBL project. The way this works is that a firewall must maintain some sort of updated connectivity with the open source blacklist infrastructure and allow for the downloading of known nefarious URLs and IPs. This amounts to a very cheap way of keeping your firewall updated. What should be stressed here is the fact that this should never be viewed as a permanent solution to professional firewall maintenance. This technique should be considered temporary or an add-on to an already robust firewall infrastructure.
In terms of what to look for, that's a very difficult question to answer, as there are many ways that this can backfire on your organization. For example, it wouldn't be that hard for an attacker to configure a "free blacklist" website that begins to feed your firewall a long list of valid websites that are frequented by your organization's end users -- effectively using your own firewall as a mini denial-of-service tool. Therefore, when choosing a free blacklist website, go by overall reputation. As mentioned above, the OpenBL project has a fairly honest reputation, and you can rest assured that the list of nefarious sites that it feeds your firewall infrastructure are legitimately bad sites.
This was first published in November 2013