Lori Hyde makes recommendations for your Cisco routers to secure Network Time Protocol, a critical function for your network, which affects crucial items such as VPNs, time-based ACLs, and authentication.
Network Time Protocol (NTP) is a client-server, UDP-based protocol used to synchronize time clocks among network devices. Time synchronization is critical for some feature functionality such as VPNs, time-based ACLs, and authentication and is also a critical element for event correlation, problem debug, and security.
NTP uses a hierarchical-based concept called a "stratum" to describe how many NTP "hops" away a machine is from an authoritative time source. A Stratum 0 source is the root and is based on an atomic clock, or series of them, and is incredibly accurate. A Stratum 1 clock would receive its source from a Stratum 0 clock and would therefore be one hop away. This pattern would follow for Stratum 2 and Stratum 3, etc.
Since NTP provides a critical resource for your network, you need to be certain that it is correct. The most desirable way to provide an accurate, secure time source would be to have a Stratum 1 clock source directly on your network. Short of that, the most common implementation currently used is to have a device on your network, typically a router, synchronize with a public Stratum 1 or 2 time source, and then act as the local network master clock source.
Internal devices, servers, and hosts can then synchronize their clocks with this network source. This hierarchy allows you to configure strict NTP (UDP port 123) rules on your firewall.
Security can also be improved by implementing NTP authentication between your routers and implementing NTP Access Control Lists.
Protecting your NTP deployment
NTP authentication operates a bit differently than what you may think and is often a point of confusion. With NTP authentication on Cisco routers, a key is defined on the source host (master clock) and is used to MD5 hash the response to queries. However, in the case of NTP, it is up to the client to request authentication rather than the router to demand it.
In this sense, the requesting client is verifying the integrity of the source rather than the source verifying the client validity. The net of this is that the router will also respond to queries that do not require authentication as well as those that do. However, if a client requests authentication and the router is not configured for it, the NTP synchronization will fail.
For reliability and security reasons, set up more than one router on your network to provide NTP synchronization, with each of them getting their time reference from a different Stratum 1 clock, and then set up peering with authentication between these routers.
Access Control Lists can also be great tools to protect your NTP deployment. You can implement a "peer group" ACL to define and control which IP addresses are allowed to peer with your router. Additionally, you can implement a "serve," or "serve-only," ACL to define which IP addresses or netblocks are allowed to make NTP queries to your router.
NTP accuracy is critical to your network. It takes a relatively small bit of time to set it up correctly and protect it with security measures, but your efforts will pay off big time.
Want to learn more about router and switch management? Automatically sign up for our free Cisco Technology newsletter, delivered each Friday!