Make sure security logs exhibit accurate time with NTP

It's vital that organizations take steps to synchronize the time on their network and devices, but it's even more important to make sure the logs produced by security devices reflect the accurate time. Find out why accurate time is so important for security logs, and walk through the process of synchronizing your network.

It's important to synchronize the time on your network and devices. To do so, many use the Network Time Protocol (NTP). Designed to synchronize the clocks of computers over a network, NTP has been around for a long time.

However, this synchronization takes on even more significance when it comes to security devices on your network. It's important that the logs produced by these security devices reflect accurate time. When you're dealing with a heavy volume of traffic, it can be impossible to correlate log files from different sources if the times don't match up.

Your security correlation tool will be utterly useless if the times on your log files don't correspond. An unsynchronized network can mean spending a great deal of time tracking events manually. Let's look at how you can synchronize your network and make sure your security logs exhibit accurate time.

Find the time

When it comes to synchronizing your network, the first step is using a reliable time source to provide a consistent time to your network devices. Known as a stratum, this time source comes in four categories. Let's look at your options:

  • Stratum 0: This is the U.S. Naval Observatory (USNO) or a GPS (Global Positioning System) clock.
  • Stratum 1: This is a radio receiver that obtains the time from Stratum 0.
  • Stratum 2: This is a client that receives the time over a network connection from a Stratum 1 clock.
  • Stratum 3: This is a client that obtains the time from Stratum 2.

Not sure where to start? The Network Time Protocol project maintains a large list of both public and private time sources. So if your company doesn't possess an internal time source to synchronize your network with, this list is a good resource to turn to. Using it, you can find a primary and secondary time server in your geographical area.

Coordinate the time

Your next step is actually synchronizing the network. From all of your network devices, pick two routers that will receive the time from the outside world and distribute that time to the rest of the network. These routers are typically at the edge of your network and connect directly to the Internet.

Let's look at an example. We'll detail the necessary steps to specify an NTP server for two Cisco routers and update their software clocks.

After you've found a time source that's in your geographical area, log in to the routers with administrative privileges. Then, issue the following commands:

Router# Config terminal

Router(config)# ntp server TimeServerOne prefer

Router(config)# ntp server TimeServerTwo

Router(config)# ntp update-calendar

These commands set TimeServerOne (which you would replace with the IP address of the selected time server) as the primary time server. And, of course, replace TimeServerTwo with the IP address of the secondary time server. The update-calendar command configures the router to update its hardware clock from the software clock.

Next, configure the rest of your network devices to draw time from these routers. Here's an example:

Router# Config terminal

Router(config)# ntp server RouterOne

Router(config)# ntp server RouterTwo

Router(config)# ntp update-calendar

Make the time secure

By default, all interfaces disable NTP services until you issue the first NTP command. To ensure security, it's a good idea to prevent devices from receiving or transmitting NTP packets -- you don't want to become a timing source for the entire Internet.

You can accomplish this for a specific interface by issuing the following command in Interface Configuration Mode. This turns off NTP on a given interface.

Router(config-if)# ntp disable

For more information on configuring NTP on Cisco routers, check out the Cisco IOS Configuration Fundamentals Configuration Guide for the IOS version you're currently running.

Final thoughts

When it comes to security, the time of occurrence can mean everything. If your logs become evidence in a court case, it's imperative that you're able to illustrate a smooth progression of events as they transpired through your network -- and you need to do so in an understandable, nontechnical approach. Time might be the only thing the jury or judge understands.

Failing to properly synchronize your network could mean the difference between a conviction and an acquittal. That's one more reason why you should set up a reliable time source for your network today.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.