Problem solve Get help with specific problems with your technologies, process and projects.

Redundant security

With trusted algorithms being cracked left and right, here's a way to implement layered security controls.

As was recently reported, it looks like SHA-1, once considered nearly invulnerable, has been cracked. This may leave a lot of network administrators searching for a solution, since the venerable MD5 was broken last year, leaving the community with no real "trusted" authentication algorithm to turn to. But for others, this only underscores the sound advice we've followed for years: implement layered controls.

When the MD5 news hit, many administrators may have moved to SHA-1, which is fine, but only if they realize the protocol still represents a single point of failure. And even if it turns out that the researchers were mistaken and SHA-1 is just fine, you should still expect it, and other protocols, to eventually succumb to the inevitable discovery of some weakness.

Wherever your budget and requirements converge, you should always look for multiple sets of diverse controls to back each other up. For packet-filtering firewalls, a common second layer of control is the screening firewall. In authentication, you often hear of "two-factor" authentication, which is useful in situations where someone guesses a password, but still can't access a system because they don't have a token, or a thumbprint.

Depending on what you're using MD5 and SHA-1 for, there are still technologies that can mitigate risks. For example, if you're using SHA-1 to establish a site-to-site IPSec VPN connection, you could implement access-lists that permit only IPSec traffic from the static IP address of your peer. If you're using MD5 checksums to verify a file hasn't been tampered with, you could put the files in a control system that requires someone to log in and "check out" the file to modify it. (e.g. Rational Clear Case or Microsoft's SourceSafe) If you're using it as an authentication method for OSPF neighbor adjacencies, you should also have the "passive-interface" command on links with user access.

If you design your systems with redundant controls, you won't have to scramble to redesign or patch your entire network every time someone announces a bug.

Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.

This was last published in February 2005

Dig Deeper on Network Security Best Practices and Products