Synchronized timing across your network – using a Trusted Time Source

Stable, reliable and accurate source of time is vital to the operation of your network. The need for synchronized time is critical for today’s network environments. Accurate time is essential to determining the order in which events occur and is a fundamental aspect of transaction integrity, logging/auditing, troubleshooting and forensics. Accurate, reliable time is necessary for business systems dealing with sensitive information where even minute variation and drift between time sources comprising the overall IT infrastructure and it is not acceptable.

Whilst Coordinated Universal Time (UTC) is freely available across the Internet it is not secure (as it is external to your firewall) and accuracy might be questionable (usually the source cannot be verified). A recent example with NTP amplification DDoS (Distributed Denial of Service) scenario made it very clear that having an UDP port open to the ingress traffic from the public network brings about multiple types of risk, including liability risk (damage caused to 3rd party done by the means of exploiting vulnerabilities present in your own assets).

Global Navigation Satellite System such as GPS bears all of the characteristics of a reliable Authoritative Time Source and its signal as it is broadcasted from space crafts in Earth’s orbit is available for anyone on the ground with the proper equipment to pick it up and use it.

High precision available 24 hours a day around the whole world is the main feature of the system which receives its information from the satellites of the American GPS (Global Positioning System).

NTP - FUNCTIONAL OVERVIEW

NTP is based on the principles of having all interconnected computers get as close as possible to the correct time – Coordinated Universal Time (UTC). A basic NTP network is composed of a time server and clients (workstations, routers, other servers, etc.). The function of a time server is to provide accurate time to the clients.

The individual clients run a small program as a background task that periodically queries the server for a precise UTC time reference. These queries are performed at designated time intervals (generally about every 15 minutes) in order to maintain the required synchronization accuracy for the network. The basic operation of the NTP is time stamping of data packets transferred between the server and the client.

The NTP protocol has a hierarchical design in order to prevent large numbers of clients from accessing the same primary time sources. This hierarchy should be adhered to, and a large number of clients should not be configured to overload a busy Stratum 1 Time Server. In addition, networks should be designed to minimize the number of servers that interact with public NTP servers (blocking port at the firewall). At the top of the hierarchy is what is accepted as the actual time - usually UTC. Each NTP Time Server is assigned a “stratum” level that corresponds with its distance from an accurate time source. Stratum 1 servers have direct access to a UTC time source (GPS). Stratum 2 servers receive their synchronization from Stratum 1 servers. Stratum 3 servers receive time from Stratum 2 servers and so on.

A Network Time Server is a device that uses radio frequency signals such as GPS to calculate the correct time.

NTP operates in a way that is basically different from that of most other timing protocols. NTP does not synchronize all connected clocks; instead it forms a hierarchy of timeservers and clients. Each level in this hierarchy is called a stratum, and Stratum 1 is the highest level. Timeservers at this level synchronize themselves by means of a reference time source such as a radio controlled clock, satellite receiver or modem time distribution. Stratum 1 Servers distribute their time to several clients in the network which are called Stratum 2.

Network Time Server – Key Features

SECURITY

NTP protocol as one of the most mature Internet protocols still in use has gone through a number of enhancements. Yet still, as for the network efficiency reason, it makes use of very simple connectionless datagram transport protocol UDP, whose message exchange happens over the specifically designated privileged port number 123. The idea of using privileged ports for trusted communication between networked nodes had some sense in the past but these days are long gone. Having your network open to traffic ingress on UDP/123 is a risk no organization should choose to accept, as UDP source is easily spoofable and popular NTP server addresses on the Internet are well known. With time on your servers corrupted anything becomes possible: expired/revoked digital certificates are good again, log files might be rendered unusable, accounts might be expired early, and transactional records could... Well, up to your imagination.

All communication is secured using crypto technology (SSH and SSL), and the NTP protocol implementation supports digest authentication (shared secret) and auto-key (asymmetric crypto). RNTrust (Formerly Recronet) experts can help you with configuring and hardening the NTP appliance to comply with the standards and security policy of your organization.

TOPOLOGY AND USE

Precision and stability of NTP is such that it is suitable for even the most demanding uses, such as synchronizing an LTE base station, while retaining performance of thousands of simultaneously served clients.

We are offering our experience with designing HA (high-availability) NTP solutions that fully employ properties of NTP mechanisms to select the best available source of time at any time. Our solutions include both Authoritative Stratum 1 NTP Server implementation as well as Stratum 2 Reliable Time Distribution Networks reaching to deliver accurate time to all of your networked nodes.

HIGH AVAILABILITY

IS STANDARDS

While performing IS risk assessments in many organizations, our specialist identified Trusted Time Source despite being the cornerstone of audit trail, and having a solution that is fairly inexpensive, is frequently missing. Both ITIL v3 and ISO/IEC 27002 list a requirement for time synchronization, and identify dependency on external sources as risk which 1+1 clearly points to the need of operating your own NTP Stratum 1 Time Source. Lately times are now changing as many national information assurance standards recognize Clock Synchronization as one of the priorities.

Information Security Standards in United Arab Emirates

With our local presence in the U.A.E. we are committed to helping organizations meet regulatory requirements as directed by local and federal cybersecurity authorities, who have recognized Information Systems Clock Synchronization as one of the priorities.

Abu Dhabi Government – Abu Dhabi Systems & Information Centre (ADSIC),
ADSIC Information Security Standard (V1:2009 and V2:2013)

Within ADSIC ISS, Clock Synchronization has been assigned P1 as suggested priority, and is declared mandatory for all categories of assets in an ADSIC ISS compliant organization

United Arab Emirates, National Electronic Security Authority (NESA),
National Information Assurance Framework (NIAF) Policy (version 1.0, 2013)

NESA is actively involved in providing strategic guidance to critical U.A.E. government entities, directing cyber security efforts on national level, ensuring trusted digital environment for both UAE public and business community.

NESA NIAF Policy – Implementation guidance (for information purpose only)

Where a computer or communications device has the capability to operate a real-time clock, this clock should be set to an agreed standard, e.g. Coordinated Universal Time (UTC) - or local standard time. As some clocks are known to drift with time, there should be a procedure that checks for and corrects any significant variation.

The correct interpretation of the date/time format is important to ensure that the timestamp reflects the real date/time. Local specifics (e.g. daylight savings) should be taken into account.

TIME AND PKI

When it comes to PKI, an accurate time is essential. The Issuing CA, and the computer system that uses the certificate, need to have synchronized time.  If the end user’s computer doesn’t have the same time as the Issuing CA, you could run into trouble.

Running a (CA) cluster relies on time even more.  With a two-node cluster, for example, each node needs to have the same time or data will be out of sync and possibly corrupted.

A Time Stamping Server needs to have an accurate time for legal purposes. Therefore, it is advisable to have your own, physical, Stratum 1 Authoritative Time Server, on your own network. This ensures that your time stamps are accurate and your system is the most efficient.

Microsoft has a build-in NTP client in most of their Windows Operating Systems. It is called SNTP (Simple Network Time Protocol). SNTP is not as accurate as using a NTP client, as the time difference with SNTP can be to 1 or 2 seconds. Though this is good enough for Kerberos Tickets issued by your Primary Domain Controller to work properly most of the time, we advise you to use a proper NTP client available at ntp.org.