Airlock Digital Configuration Process

This document outlines the process of configuring Allowlist and Blocklist rules in Airlock Digital. The Allowlist feature enables users to create rules that permit specific files to operate under defined conditions, while the Blocklist feature is utilized to restrict potentially harmful operations within trusted applications or the operating system.

Step 1

In this video, we will explore Allowlist and Blocklist functionalities within Airlock Digital. Although Airlock is primarily an allowlisting solution, it effectively uses blocklists to enhance the security of trusted applications and the operating system itself. Allowlist provides the capability to create a set of rules that permit specific files to operate.

Step 2

These rules can be organized into various folders and buckets, visible on the left-hand side, and can then be assigned to different policies. As an example, consider the rule named "Wireshark for Admins," which allows Wireshark to operate by the publisher only within a specific domain security group of administrators. Allowlist metadata rules enable the creation of flexible rules. For instance, software may need to run under certain conditions, such as within a temporary directory.

Step 3

To create a rule, select criteria related to the file attributes you wish to specify.

Step 4

You can view attributes such as the original file name, path, publisher, hash, and other details. For flexible rules, you may focus on the file path, allowing the file to operate within a temporary directory.

Step 5

While this may not be the most secure rule, you can establish guardrails around the application to enhance security.

Step 6

The temporary directory may operate only under specific conditions, such as having a defined parent and grandparent process and operating within a particular domain security group. By implementing these guardrails, you maintain control over the tool's operations. The Blocklist feature can now be employed to harden trusted tools further.

Step 7

Like the Allowlist, Blocklist entries can be organized into buckets on the left-hand side. Predefined configurations are available for automatic import into Airlock.

Step 8

These configurations originate from various organizations, including the Mitre Attack Framework and different threat intelligence feeds. Microsoft's recommended block rules are also integrated, providing baseline security for core operating system components like Kill.exe, InstallUtil, and MSBuild.

Step 9

These components should be inaccessible to regular users by default, and blocking these core files helps secure the environment effectively.