NetFort Advertising

How to Generate a SHA-1 Certificate Inventory

how to generate a SHA-a inventory with NetFort LANGuardian

Background to the SHA-1 changes

The Secure Hash Algorithm is a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS). SHA-1 is a 160-bit hash function which resembles the earlier MD5 algorithm. Cryptographic weaknesses were discovered in SHA-1, and the standard was no longer approved for most cryptographic uses after 2010.

It is recommended that you don’t use SHA-1 certificates past 2016 for a number of reasons:

What you need to do right now

If you are running public facing web services, then this problem may seem obvious. However, many network devices such as printers run web engines so the SHA-1 issue will impact on nearly all computer networks. The advice is to spend some time looking at the problem now, rather than wait for user complaints in 2017. At a minimum, we recommend the following:

  1. Inventory your existing certificates. This can be tricky if you do not have network monitoring tools in place. If you don’t have anything at present, you can download a trial version of our LANGuardian product which has SHA-1 reporting built-in.
  2. Replace SHA-1 certificates that expire after 2015. This may require a new server platform as operating systems such as Windows Server 2003 are not able to support SHA256 certificates.
  3. Ensure new certificate and their chains are based on SHA-2.

Generating a SHA-1 inventory using network traffic analysis

LANGuardian 14.1 includes a new feature that allows you to generate a list of all servers on your network running SSL services. Those devices that need to be updated are highlighted within the report. LANGuardian uses network traffic as data source, so you just need to setup a SPAN or mirror port on your core switch to get started. We have a couple of video guides on this subject within the resources section of this website which explain things in more detail.

To access the SSL reports, you need to click on All Reports from within the LANGuardian GUI and navigate to the Inventory section. If you don’t have an inventory section, you will need to upgrade your LANGuardian to the latest release. Please contact our support team if you have any questions about this.

You can filter based on variables like IP addresses, subnets and specific time ranges. Servers running expired or outdated protocol versions will be highlighted in red.

The IP address link within the report allows you to drill down and see what clients are connecting to this server. This can be very useful data, if you are planning to shut down any outdated systems. In my example, the device is actually a printer running an insecure SHA-1 certificate.

Outdated SHA-1 certificate

In some cases, you may need to replace certificates running on servers where in others situations, you may need to do firmware updates. Whatever the remedy, you can use LANGuardian to check if the device or server is updated. Just run the Servers Running SSL report again and change the date\time filter so you are looking at data which was captured after the time of upgrade.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring, bandwidth troubleshooting, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!