Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Asset Blacklists and Whitelists

 

JSA uses a group of asset reconciliation rules to determine if asset data is trustworthy. When asset data is questionable, JSA uses asset blacklists and whitelists to determine whether to update the asset profiles with the asset data.

An asset blacklist is a collection of data that JSA considers untrustworthy. Data in the asset blacklist is likely to contribute to asset growth deviations and JSA prevents the data from being added to the asset database.

An asset whitelist is a collection of asset data that overrides the asset reconciliation engine logic about which data is added to an asset blacklist. When the system identifies a blacklist match, it checks the whitelist to see whether the value exists. If the asset update matches data that is on the whitelist, the change is reconciled and the asset is updated. Whitelisted asset data is applied globally for all domains.

Your JSA administrator can modify the asset blacklist and whitelist data to prevent future asset growth deviations.

Asset Blacklists

An asset blacklist is a collection of data that JSA considers untrustworthy based on the asset reconciliation exclusion rules. Data in the asset blacklist is likely to contribute to asset growth deviations and JSA prevents the data from being added to the asset database.

Every asset update in JSA is compared to the asset blacklists. Blacklisted asset data is applied globally for all domains. If the asset update contains identity information (MAC address, NetBIOS host name, DNS host name, or IP address) that is found on a blacklist, the incoming update is discarded and the asset database is not updated.

The following table shows the reference collection name and type for each type of identity asset data.

Table 1: Reference Collection Names for Asset Blacklist Data

Type of identity data

Reference collection name

Reference collection type

IP addresses (v4)

Asset Reconciliation IPv4 Blacklist

Reference Set [Set Type: IP]

DNS host names

Asset Reconciliation DNS Blacklist

Reference Set [Set Type: ALNIC*]

NetBIOS host names

Asset Reconciliation NetBIOS Blacklist

Reference Set [Set Type: ALNIC*]

MAC Addresses

Asset Reconciliation MAC Blacklist

Reference Set [Set Type: ALNIC*]

* ALNIC is an alphanumeric type that can accommodate both host name and MAC address values.

Your JSA administrator can modify the blacklist entries to ensure that new asset data is handled correctly.

Asset Whitelists

You can use asset whitelists to keep JSA asset data from inadvertently reappearing in the asset blacklists.

An asset whitelist is a collection of asset data that overrides the asset reconciliation engine logic about which data is added to an asset blacklist. When the system identifies a blacklist match, it checks the whitelist to see whether the value exists. If the asset update matches data that is on the whitelist, the change is reconciled and the asset is updated. Whitelisted asset data is applied globally for all domains.

Your JSA administrator can modify the whitelist entries to ensure that new asset data is handled correctly.

Example Of a Whitelist Use Case

The whitelist is helpful if you have asset data that continues to show up in the blacklists when it is a valid asset update. For example, you might have a round robin DNS load balancer that is configured to rotate across a set of five IP addresses. The Asset Reconciliation Exclusion rules might determine that the multiple IP addresses associated with the same DNS host name are indicative of an asset growth deviation, and the system might add the DNS load balancer to the blacklist. To resolve this problem, you can add the DNS host name to the Asset Reconciliation DNS Whitelist.

Mass Entries to the Asset Whitelist

An accurate asset database makes it easier to connect offenses that are triggered in your system to physical or virtual assets in your network. Ignoring asset deviations by adding mass entries to the asset whitelist is not helpful in building an accurate asset database. Instead of adding mass whitelist entries, review the asset blacklist to determine what is contributing to the deviating asset growth and then determine how to fix it.

Types Of Asset Whitelists

Each type of identity data is kept in a separate whitelist. The following table shows the reference collection name and type for each type of identity asset data.

Table 2: Reference Collection Name for Asset Whitelist Data

Type of data

Reference collection name

Reference collection type

IP addresses

Asset Reconciliation IPv4 Whitelist

Reference Set [Set Type: IP]

DNS host names

Asset Reconciliation DNS Whitelist

Reference Set [Set Type: ALNIC*]

NetBIOS host names

Asset Reconciliation NetBIOS Whitelist

Reference Set [Set Type: ALNIC*]

MAC addresses

Asset Reconciliation MAC Whitelist

Reference Set [Set Type: ALNIC*]

* ALNIC is an alphanumeric type that can accommodate host name and MAC address values.