NTP Appliances – It’s About Time
Time synchronization is a crucial part of any network. I am sure that most of you have pulled logs for troubleshooting, only to discover that NTP wasn’t configured properly. Whether logs are being used for security monitoring or troubleshooting issues, they really must have accurate time-stamps to be very effective.
In addition to logging, there are several protocols and applications that rely on accurate time. Authentication mechanisms, such as Kerberos and multi-factor, token based systems, use time-stamps to avoid replay attacks. Active Directory and MySQL replication also rely on synchronized time between systems. Many applications use the local system time for various functions as well.
Okay, so this probably isn’t a new concept to you. We all know that everything needs to point to a NTP server. Many engineers utilize public time servers, like the ones available from nist.gov or pool.ntp.org, while others simply use the servers provided by their ISP. While these are perfectly valid and accurate time sources, there is an even better option.
NTP appliances are purpose-built for providing time to devices on the network. They synchronize with stratum 0 time servers using GPS, CDMA, or NIST radio transmissions. Many of these appliances also have built in hardware clocks that can be used if the primary time source becomes unavailable. This results in a very accurate and resilient source of time.
NTP inherently comes with a few vulnerabilities. The two main concerns are spoofed server responses and DoS attacks. The best way to protect against these types of attacks is to use access-lists and authentication. Unfortunately, many organizations do not implement these measures because of the added overhead of managing authentication with public servers and the hierarchical approach usually used to limit NTP queries traversing the Internet edge.
With a dedicated NTP appliances, the implementation of these security measures is much simpler and more efficient. The time server can be configured with the keys necessary for authenticating queries, and access lists to prevent unauthorized control messages. The rest of the devices on the network can then be set up with the proper keys for authentication with the time server(s) and a very simple access list.
There are several other features that many of these appliances provide, which enhance basic NTP operation. For example, Precision Time Protocol (PTP) is similar to NTP, but it tends to be much more accurate. PTP can consistently provide accuracy in the nanoseconds, whereas NTP tends to be in the 1 to 2 millisecond range.
Another capability of many NTP appliances is operating in broadcast or multicast modes. These modes provide even more flexibility in the time synchronization design. In addition to this, the special manycast mode can be used to provide even more resiliency.