Cisco Talos replacing all mentions of ‘blacklist,’ ‘whitelist’
There are many ways to respond to injustice, both large and small, but each response is important. While we acknowledge it is a small change, Cisco Talos is moving to replace our use of the terms “blacklist” and “whitelist” with “block list” and “allow list.” Even though these terms are commonly in use in the security industry, we will not go along with casually assigning positive connotations to “white” while assigning negative connotations to “black.”
Wihtelist ⇒ Allow List
Blacklist ⇒ Block List
で、ACI はどう？と調べてみたらblocked list model, allowed list model とあったので用語としては同じそうだ。
ACI – Network-Centric Approach White Paper
Datacenters built prior to ACI use VLANs for the purpose of isolation. VLANs are broadcast domains that allow frames to be sent out all ports of a switch tagged with that VLAN, if the frame has no awareness of the destination. This is called flooding. VLANs are generally mapped to one subnet. For example, you may have VLAN 21 which contains all of your database servers. It is likely that these servers will only be assigned to one subnet, perhaps 192.168.21.0/24. Usually a blocked list model is used, meaning traffic is allowed by default within subnets. Security rules are typically assigned at the Layer 3 boundary or default gateway using Access Control Lists (ACL) or Firewall rules.
Notice Figures 3 and 4 look very similar. VLAN 21 is mapped to Subnet 192.168.21.0 and all endpoints within that subnet, containing Database servers. VLAN 22 is mapped to subnet 192.168.22.0 and all endpoints within that subnet, containing application servers. In the network-centric approach, it’s not necessary to know which applications, or application tiers exist on a given VLAN. But it is necessary to know which VLANs should be allowed to communicate. There is one noticeable difference between traditional networks and ACI – ACI uses the allowed list model. Hence, by default no traffic is allowed between these subnets, though traffic is allowed within the bridge domains, by default. This default behavior can be easily changed to match traditional networking concepts. To address the change in the allowed list model, we need to discuss contracts.