Networking

Secure your Cisco Network Time Protocol with these tips

Lori Hyde makes recommendations for your Cisco routers to secure Network Time Protocol, a critical function for your network, which affects crucial items such as VPNs, time-based ACLs, and authentication.

Network Time Protocol (NTP) is a client-server, UDP-based protocol used to synchronize time clocks among network devices. Time synchronization is critical for some feature functionality such as VPNs, time-based ACLs, and authentication and is also a critical element for event correlation, problem debug, and security.

NTP uses a hierarchical-based concept called a "stratum" to describe how many NTP "hops" away a machine is from an authoritative time source. A Stratum 0 source is the root and is based on an atomic clock, or series of them, and is incredibly accurate. A Stratum 1 clock would receive its source from a Stratum 0 clock and would therefore be one hop away. This pattern would follow for Stratum 2 and Stratum 3, etc.

Since NTP provides a critical resource for your network, you need to be certain that it is correct. The most desirable way to provide an accurate, secure time source would be to have a Stratum 1 clock source directly on your network. Short of that, the most common implementation currently used is to have a device on your network, typically a router, synchronize with a public Stratum 1 or 2 time source, and then act as the local network master clock source.

Internal devices, servers, and hosts can then synchronize their clocks with this network source. This hierarchy allows you to configure strict NTP (UDP port 123) rules on your firewall.

Security can also be improved by implementing NTP authentication between your routers and implementing NTP Access Control Lists.

Protecting your NTP deployment

NTP authentication operates a bit differently than what you may think and is often a point of confusion. With NTP authentication on Cisco routers, a key is defined on the source host (master clock) and is used to MD5 hash the response to queries. However, in the case of NTP, it is up to the client to request authentication rather than the router to demand it.

In this sense, the requesting client is verifying the integrity of the source rather than the source verifying the client validity. The net of this is that the router will also respond to queries that do not require authentication as well as those that do. However, if a client requests authentication and the router is not configured for it, the NTP synchronization will fail.

For reliability and security reasons, set up more than one router on your network to provide NTP synchronization, with each of them getting their time reference from a different Stratum 1 clock, and then set up peering with authentication between these routers.

Access Control Lists can also be great tools to protect your NTP deployment. You can implement a "peer group" ACL to define and control which IP addresses are allowed to peer with your router. Additionally, you can implement a "serve," or "serve-only," ACL to define which IP addresses or netblocks are allowed to make NTP queries to your router.

NTP accuracy is critical to your network. It takes a relatively small bit of time to set it up correctly and protect it with security measures, but your efforts will pay off big time.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Technology newsletter, delivered each Friday!

3 comments
career
career

The thing I've found most frustrating about NTP is it always uses port 123, even for client requests. While this might sound great, it makes it very difficult to to write Firewall rules since the Firewall doesn't know which is the client and which is the server.

Doug Vitale
Doug Vitale

You can implement NTP authentication to prevent NTP spoofing. ntp server 192.168.1.10 ntp authenticate ntp authentication-key 999 SHA1 xxxxxxxxx ntp trusted-key 10 You can also configure the loopback address as the source for NTP messages. interface loopback0 ip address 10.10.2.1 255.255.255.255 ... ntp update-calendar ntp server 192.168.1.10 ntp server 192.168.1.11 ntp source Loopback0

Cincinnerdi
Cincinnerdi

Interesting policy points. Links to "how to" resources would be helpful as this leaves us readers who are interested with no clear next step other than hunting / fishing via google.

Editor's Picks