
Stratum 1 Time Server
Synchronized timing across your network – using a Trusted Time Source
Stable, reliable and accurate source of time is vital to the operation of your network. The need for synchronized time is critical for today’s network environments. Accurate time is essential to determining the order in which events occur and is a fundamental aspect of transaction integrity, logging/auditing, troubleshooting and forensics. Accurate, reliable time is necessary for business systems dealing with sensitive information where even minute variation and drift between time sources comprising the overall IT infrastructure and it is not acceptable.
Whilst Coordinated Universal Time (UTC) is freely available across the Internet it is not secure (as it is external to your firewall) and accuracy might be questionable (usually the source cannot be verified). A recent example with NTP amplification DDoS (Distributed Denial of Service) scenario made it very clear that having an UDP port open to the ingress traffic from the public network brings about multiple types of risk, including liability risk (damage caused to 3rd party done by the means of exploiting vulnerabilities present in your own assets).
Global Navigation Satellite System such as GPS bears all of the characteristics of a reliable Authoritative Time Source and its signal as it is broadcasted from space crafts in Earth’s orbit is available for anyone on the ground with the proper equipment to pick it up and use it.
High precision available 24 hours a day around the whole world is the main feature of the system which receives its information from the satellites of the American GPS (Global Positioning System).
NTP - FUNCTIONAL OVERVIEW
NTP is based on the principles of having all interconnected computers get as close as possible to the correct time – Coordinated Universal Time (UTC). A basic NTP network is composed of a time server and clients (workstations, routers, other servers, etc.). The function of a time server is to provide accurate time to the clients.
The individual clients run a small program as a background task that periodically queries the server for a precise UTC time reference. These queries are performed at designated time intervals (generally about every 15 minutes) in order to maintain the required synchronization accuracy for the network. The basic operation of the NTP is time stamping of data packets transferred between the server and the client.
The NTP protocol has a hierarchical design in order to prevent large numbers of clients from accessing the same primary time sources. This hierarchy should be adhered to, and a large number of clients should not be configured to overload a busy Stratum 1 Time Server. In addition, networks should be designed to minimize the number of servers that interact with public NTP servers (blocking port at the firewall). At the top of the hierarchy is what is accepted as the actual time - usually UTC. Each NTP Time Server is assigned a “stratum” level that corresponds with its distance from an accurate time source. Stratum 1 servers have direct access to a UTC time source (GPS). Stratum 2 servers receive their synchronization from Stratum 1 servers. Stratum 3 servers receive time from Stratum 2 servers and so on.
PRODUCT
A Network Time Server is a device that uses radio frequency signals such as GPS to calculate the correct time.
NTP operates in a way that is basically different from that of most other timing protocols. NTP does not synchronize all connected clocks; instead it forms a hierarchy of timeservers and clients. Each level in this hierarchy is called a stratum, and Stratum 1 is the highest level. Timeservers at this level synchronize themselves by means of a reference time source such as a radio controlled clock, satellite receiver or modem time distribution. Stratum 1 Servers distribute their time to several clients in the network which are called Stratum 2.
Network Time Server – Key Features
- GPS synchronized Stratum 1 high performance NTP Server, equipped with stable internal oscillator
- Synchronization of NTP and SNTP compatible clients
- Supported networking protocols: IPv4, IPv6, HTTPS, HTTP, SSH, TELNET, SCP, SFTP, FTP, SYSLOG, SNMP
- Full SNMP v1,v2,v3 support with own SNMP-daemon for status and configuration and SNMP Trap messages
- Support for the two most popular clock synchronization network time protocols:
- RFC 1305, 4330 & 5905 NTP, and
- IEEE 1588 PTP – Precision Time Protocol (Optional)
- (i.e. hardware timestamps)
- Suitable for Unix/Linux, Mac OSX and Windows Server stand alone and Domain Controlled environments
- Web UI: health and status/performance monitoring, maintenance
- SD3 + C paradigm > Secure by Design, Secure by Default, Secure in Deployment, and Communications
- NTP versions v2, v3, v4 with broadcast / multicast mode, digest authentication and auto-key, SNTP and legacy protocols
- Front Panel LCD display for Current Time, Status and Configuration Access, web-based interface and SSH CLI
- Full administration supported through SSH CLI, accessible over IPv4 and IPv6
- Internal oscillator options for extended hold-over (Premium OCXO or Rubidium)
- Network port redundancy for High Availability
- Health and status monitoring via SNMP v1, v2c, v3 with Enterprise MIB
SECURITY
NTP protocol as one of the most mature Internet protocols still in use has gone through a number of enhancements. Yet still, as for the network efficiency reason, it makes use of very simple connectionless datagram transport protocol UDP, whose message exchange happens over the specifically designated privileged port number 123. The idea of using privileged ports for trusted communication between networked nodes had some sense in the past but these days are long gone. Having your network open to traffic ingress on UDP/123 is a risk no organization should choose to accept, as UDP source is easily spoofable and popular NTP server addresses on the Internet are well known. With time on your servers corrupted anything becomes possible: expired/revoked digital certificates are good again, log files might be rendered unusable, accounts might be expired early, and transactional records could... Well, up to your imagination.
All communication is secured using crypto technology (SSH and SSL), and the NTP protocol implementation supports digest authentication (shared secret) and auto-key (asymmetric crypto). RNTrust (Formerly Recronet) experts can help you with configuring and hardening the NTP appliance to comply with the standards and security policy of your organization.
TOPOLOGY AND USE
Precision and stability of NTP is such that it is suitable for even the most demanding uses, such as synchronizing an LTE base station, while retaining performance of thousands of simultaneously served clients.
We are offering our experience with designing HA (high-availability) NTP solutions that fully employ properties of NTP mechanisms to select the best available source of time at any time. Our solutions include both Authoritative Stratum 1 NTP Server implementation as well as Stratum 2 Reliable Time Distribution Networks reaching to deliver accurate time to all of your networked nodes.
HIGH AVAILABILITY
IS STANDARDS
While performing IS risk assessments in many organizations, our specialist identified Trusted Time Source despite being the cornerstone of audit trail, and having a solution that is fairly inexpensive, is frequently missing. Both ITIL v3 and ISO/IEC 27002 list a requirement for time synchronization, and identify dependency on external sources as risk which 1+1 clearly points to the need of operating your own NTP Stratum 1 Time Source. Lately times are now changing as many national information assurance standards recognize Clock Synchronization as one of the priorities.
Information Security Standards in United Arab Emirates
With our local presence in the U.A.E. we are committed to helping organizations meet regulatory requirements as directed by local and federal cybersecurity authorities, who have recognized Information Systems Clock Synchronization as one of the priorities.
Abu Dhabi Government – Abu Dhabi Systems & Information Centre (ADSIC),
ADSIC Information Security Standard (V1:2009 and V2:2013)
Within ADSIC ISS, Clock Synchronization has been assigned P1 as suggested priority, and is declared mandatory for all categories of assets in an ADSIC ISS compliant organization
V1 Control ID | V2 Control ID | Control Specification |
CM-10.10.703 | OM.20.9 | The Entity should ensure that the internal clocks of information systems are synchronised with a common, independent time source to ensure that chronological information within log data can be relied upon |
V1 Control ID |
---|
CM-10.10.703 |
V2 Control ID |
OM.20.9 |
Control Specification |
The Entity should ensure that the internal clocks of information systems are synchronized with a common, independent time source to ensure that chronological information within log data can be relied upon |
United Arab Emirates, National Electronic Security Authority (NESA),
National Information Assurance Framework (NIAF) Policy (version 1.0, 2013)
NESA is actively involved in providing strategic guidance to critical U.A.E. government entities, directing cyber security efforts on national level, ensuring trusted digital environment for both UAE public and business community.
Control ID | Priority | Applicability |
T3.6.7 | P4 | BASED ON RISK ASSESSMENT CONTROL - The entity shall synchronize clocks of all relevant information systems with an agreed accurate time source |
Sub-Controls | “The entity shall :” | |
1 ) | Define the date / time format and these Standards time to be used in all system | |
2 ) | Define the stratum level of clocks needed for each type of network element | |
3 ) | Regularly check that the clocks of all relevant information processing systems are synchronized |
Control ID | |
---|---|
T3.6.7 | |
Priority | |
P4 | |
Applicability | |
BASED ON RISK ASSESSMENT CONTROL - The entity shall synchronize clocks of all relevant information systems with an agreed accurate time source | |
Sub-Controls | “The entity shall :” |
1 ) Define the date / time format and these Standards time to be used in all system | |
2 ) Define the stratum level of clocks needed for each type of network element | |
3 ) Regularly check that the clocks of all relevant information processing systems are synchronized |
NESA NIAF Policy – Implementation guidance (for information purpose only)
Where a computer or communications device has the capability to operate a real-time clock, this clock should be set to an agreed standard, e.g. Coordinated Universal Time (UTC) - or local standard time. As some clocks are known to drift with time, there should be a procedure that checks for and corrects any significant variation.
The correct interpretation of the date/time format is important to ensure that the timestamp reflects the real date/time. Local specifics (e.g. daylight savings) should be taken into account.
TIME AND PKI
When it comes to PKI, an accurate time is essential. The Issuing CA, and the computer system that uses the certificate, need to have synchronized time. If the end user’s computer doesn’t have the same time as the Issuing CA, you could run into trouble.
Running a (CA) cluster relies on time even more. With a two-node cluster, for example, each node needs to have the same time or data will be out of sync and possibly corrupted.
A Time Stamping Server needs to have an accurate time for legal purposes. Therefore, it is advisable to have your own, physical, Stratum 1 Authoritative Time Server, on your own network. This ensures that your time stamps are accurate and your system is the most efficient.
Microsoft has a build-in NTP client in most of their Windows Operating Systems. It is called SNTP (Simple Network Time Protocol). SNTP is not as accurate as using a NTP client, as the time difference with SNTP can be to 1 or 2 seconds. Though this is good enough for Kerberos Tickets issued by your Primary Domain Controller to work properly most of the time, we advise you to use a proper NTP client available at ntp.org.
FREE WEBINAR ON STRATUM 1 TIME - SECURING FROM NTP REFLECTION ATTACK
- 1 Hour Free Webinar
- SCHEDULE: Every Wednesday
- TIME: 03:00PM
- COST: FREE
- **Sessions will be conducted through Microsoft Teams
- Agenda Link
FREE WEBINAR ON HOW TO SECURE AND MITIGATE RISK FOR YOUR NTP SERVER FROM CYBERSECURITY THREATS AND VULNERABILITIES
- 1 Hour Free Webinar
- SCHEDULE: Every Tuesday
- TIME: 03:00PM (KSA TIME)
- COST: FREE
- **Sessions will be conducted through Microsoft Teams
- Agenda Link