Transcript ntp server

Implementing Secure
Converged Wide Area
Networks (ISCW)
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
1
Configuring the NTP
Client
Lesson 10 – Module 5 – ‘Cisco Device Hardening’
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
2
Module Introduction
 The open nature of the Internet makes it increasingly important for
businesses to pay attention to the security of their networks. As
organisations move more of their business functions to the public
network, they need to take precautions to ensure that attackers do
not compromise their data, or that the data does not end up being
accessed by the wrong people.
 Unauthorised network access by an outside hacker or disgruntled
employee can wreak havoc with proprietary data, negatively affect
company productivity, and stunt the ability to compete.
 Unauthorised network access can also harm relationships with
customers and business partners who may question the ability of
companies to protect their confidential information, as well as lead
to potentially damaging and expensive legal actions.
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
3
Objectives
 At the completion of this tenth lesson, you will be able
to:
Explain how a router maintains an accurate time
Describe NTP and how it is configured
Configure NTP on a router as a server and a client
Associate with NTP servers
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
4
Understanding NTP
“Time has been invented in the universe so that
everything would not happen at once”
‘The NTP FAQ and HOWTO’ - http://www.ntp.org/ntpfaq/

Many features in a computer network depend on time
synchronisation, such as accurate time information in syslog
messages, certificate-based authentication in VPNs, ACLs with
time range configuration, and key rollover in routing protocol
authentication (EIGRP and RIP)

Most Cisco routers have two clocks: a battery-powered system
calendar in the hardware and a software-based system clock

These two clocks are managed separately
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
5
System Clock
 The heart of the router time service is the software-based system
clock
 This clock starts to keep track of time from the moment the system
starts
 The system clock can be set from a number of sources and can be
used to distribute the current time through various mechanisms to
other systems
 When a router with a system calendar is initialised or rebooted, the
system clock is set based on the time in the internal batterypowered system calendar
 The system clock can then be set manually or by using the
Network Time Protocol (NTP) - an Internet protocol used to
synchronise the clocks of network connected devices to some time
reference
NTP is an Internet standard protocol currently at v3 and specified in
RFC 1305
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
6
UTC - GMT
 UTC (Temps Universel Coordonné or, in English, Coordinated Universal
Time) is an official standard for the current time.
 UTC evolved from the former GMT (Greenwich Mean Time) that was
previously used to accurately set the clocks on sailing ships before they
left London for a long journey (very important to determine longitude and
avoid navigational embarrassment…..)
 Later GMT was adopted as the world's standard time. It has now been
replaced by UTC.
One of the reasons that GMT has been replaced as official standard time was
the fact that it was based on the mean solar time. Newer methods of time
measurement showed that the mean solar time varied appreciably.
 The main components of UTC:
Universal means that the time can be used everywhere in the world, It is
independent from time zones (i.e. it's not local time). To convert UTC to local
time, add or subtract the local time zone.
Coordinated means that several institutions contribute their estimate of the
current time, and UTC is built by combining these estimates.
The UTC second has been defined by the 13th General Conference of Weights and
Measures in 1967 as "The second is the duration of 9,192,631,770 periods of the
radiation corresponding to the transition between the two hyperfine levels of the ground
state of the cesium-133 atom."
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
7
Authoritative Time
 In a router, the system clock keeps track of time internally based
on UTC (which, despite the comment in the curriculum is not
technically the same as GMT…….)
 Information can be configured about the local time zone and
daylight savings time so that the time appears correctly relative to
the local time zone
 The system clock keeps track of whether the time is “authoritative”
or not (that is, whether the time has been set by a time source that
is considered to be “authoritative”)
 If the time is NOT considered authoritative, the time is available
only for display purposes and is not redistributed within the
network
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
8
NTP
 NTP is a protocol designed to time-synchronize a network of
machines. NTP runs over UDP, which in turn runs over IP
 An NTP network usually obtains the time from an authoritative time
source, such as a radio clock or an atomic clock attached to a time
server. NTP then distributes this time across the network. NTP is
extremely efficient; no more than one packet per minute is necessary
to synchronise two machines to within 1mS of one another
As of early 2007, NTP v4 has not completed IETF standardisation. RFC 1305
documents NTP v3
Cisco devices support only RFC specifications of NTPv3
 NTP uses the concept of a “stratum” to describe how many NTP
“hops” away a machine is from an authoritative time source
 A “stratum 1” time server typically has a radio or atomic clock
directly attached to the server; a “stratum 2” time server receives the
time via NTP from a “stratum 1” time server, etc, etc.
A machine that runs NTP automatically chooses the machine with the lowest
stratum number to communicate with via NTP as the machine’s time source
This strategy effectively builds a self-organising tree of NTP speakers
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
9
NTP

NTP is careful to avoid synchronising to a machine whose time may
not be accurate. NTP avoids doing so in two ways:
1. NTP never synchronises to a machine that is not synchronised itself
2. NTP compares the time that is reported by several machines and does not
synchronise to a machine whose time is significantly different than the
others, even if the machine’s stratum number is lower



ISCW-Mod5_L10
The communications (known as “associations”) between machines
that run NTP are usually statically configured; each machine is
given the IP address of all machines with which the machine should
form associations
Accurate timekeeping is possible by exchanging NTP messages
between each pair of machines with an association
In a LAN environment, NTP can be configured to use IP broadcast
messages instead
•
This alternative reduces configuration complexity because each machine
can be configured to send or receive broadcast messages.
•
However, the accuracy of timekeeping is marginally reduced because the
information flow is one-way only
© 2007 Cisco Systems, Inc. All rights reserved.
10
NTP Security
 The time that a machine keeps is a critical resource, so the
security features of NTP should be used to avoid the
accidental or malicious setting of incorrect time
 Two mechanisms are available:
1. an ACL-based restriction scheme
2. an encrypted authentication mechanism.
 Time service for a network should be derived from the public
NTP servers that are available on the Internet
• If the network is isolated from the Internet, the Cisco implementation
of NTP allows a machine to be configured so that the machine acts
as though the machine is synchronised via NTP when in fact the
machine has determined the time using other means.
• Other machines then synchronise to that machine via NTP
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
11
NTP Association
 When multiple sources of time (eg, manual
configuration) are available, NTP is always considered
to be more authoritative
 NTP time overrides the time set by any other method
 An NTP association can be a peer association (this
system is willing to either synchronise to the other
system or to allow the other system to synchronise to
it), or the association can be a server association (only
this system will synchronise to the other system, and
not vice versa)
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
12
NTP Basic Features - Overview
 A collected overview of NTP features:
NTP needs some reference clock that defines the true time to operate. All
clocks are set towards that true time. (It will not just make all systems agree on
some time, but will make them agree upon the true time as defined by some
standard)
NTP uses UTC as reference time (NOT GMT…..)
NTP is a fault-tolerant protocol that will automatically select the best of several
available time sources to synchronise to. Multiple candidates can be combined
to minimise the accumulated error. Temporarily or permanently insane time
sources will be detected and avoided
NTP is highly scalable. A synchronisation network may consist of several
reference clocks. Each node of such a network can exchange time information
either bidirectional or unidirectional. Propagating time from one node to another
forms a hierarchical graph with reference clocks at the top
Having available several time sources, NTP can select the best candidates to
build its estimate of the current time. The protocol is highly accurate, using a
resolution of less than a nanosecond (about 2^-32 seconds)
Even when a network connection is temporarily unavailable, NTP can use
measurements from the past to estimate current time and error
For formal reasons NTP will also maintain estimates for the accuracy of the
local time
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
13
Configuring NTP Authentication
 NTP services are enabled on all interfaces by default.
To disable NTP on a specific interface, use the ntp disable
command in the interface configuration mode.
 To authenticate the associations with other systems for
security purposes, use the commands in the “NTP
Authentication Commands” table (see next slide)
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
14
NTP Authentication Commands
Command
Description
ntp authenticate
Enables the NTP authentication feature. If this command
is specified, the system will not synchronize to a system
unless the system’s NTP messages carry one of the
authentication keys that you specify in the ntp trustedkey global configuration command.
ntp
Defines an authentication key. Message authentication
authentication-key support is provided using the MD5 algorithm. The key
number md5 value
type md5 is currently the only key type that this
command supports. The key value can be any arbitrary
string of up to eight characters.
ntp trusted-key
key-number
Defines trusted authentication keys.
The first command enables the NTP authentication feature. The second
command defines each of the authentication keys. Each key has a key
number, a type, and a value. Currently the only key type supported is md5.
Finally, a list of trusted authentication keys is defined. If a key is trusted,
this system is ready to synchronise to a system that uses this key in the
system’s NTP packets
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
15
Configuring NTP Authentication
Router(config)#
ntp authenticate
• Enables the authentication feature
Router(config)#
ntp authentication-key number md5 value
• Defines the authentication keys
• Used for both peer and server associations
Router(config)#
ntp trusted-key key-number
• Defines the trusted authentication keys
• Required to synchronise to a system (server association)
R1(config)#ntp authentication
R1(config)#ntp authentication-key 1 md5 NeVeRgUeSs
R1(config)#ntp trusted-key 1
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
16
Configuring NTP Associations
 To configure a router as an NTP client, either create an association
to a server or configure the router to listen to NTP broadcast
packets.
ntp server: Although the router can be configured with either a peer or
a server association, NTP clients are typically configured with a server
association (meaning that only this system will synchronise to the other
system, and not vice versa).
To allow the software clock to be synchronised by an NTP time server,
use the ntp server command in global configuration mode.
 ntp broadcast client: In addition to or instead of creating unicast
NTP associations, the system can be configured to listen to
broadcast packets on an interface-by-interface basis
To do this, use the ntp broadcast client command in interface
configuration mode
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
17
Configuring NTP Associations
Router(config)#
ntp server {ip-address | hostname} [version number] [key
keyid] [source interface] [prefer]
• Forms a server association with another system
Router(config-if)#
ntp broadcast client
• Receives NTP broadcast packets
R1(config)#ntp server 10.1.1.1 key 1
R1(config)#ntp server 10.2.2.2 key 2 prefer
R1(config)#interface Fastethernet 0/1
R1(config-if)#ntp broadcast client
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
18
Configuring Additional NTP Options



To control access to NTP services, in addition to packet
authentication, a NTP access group can be created and a basic IP
ACL applied to it
To control access to NTP services, use the ntp access-group
command in global configuration mode
The access group options are scanned in the following order, from
least restrictive to most restrictive:
1. peer: Allows time requests and NTP control queries and allows the system
to synchronise itself to a system whose address passes the ACL criteria.
This option is used in scenarios where either the local or the remote system
can become the NTP source
2. serve: Allows time requests and NTP control queries but does not allow the
system to synchronise itself to a system whose address passes the ACL
criteria. This option lets you filter IP addresses of systems that can become
clients of the local system from which NTP control queries will be permitted
3. serve-only: Allows only time requests from a system whose address passes
the ACL criteria. This option lets you filter IP addresses of systems that can
become clients of the local system from which NTP control queries will be
denied
4. query-only: Allows only NTP control queries from a system whose address
passes the ACL criteria
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
19
Configuring Additional NTP Options
 If the source IP address matches the ACLs for more than one
access type, the first access type that is listed is granted. If no
access groups are specified, all access types are granted to all
systems. If any access groups are specified, only the specified
access types are granted
 When the system sends an NTP packet, the source IP address is
normally set to the address of the interface through which the NTP
packet is sent. Use the ntp source command in global
configuration mode to configure a specific interface from which the
IP source address will be taken
 ntp source interface
This interface is used for the source address for all packets sent to all
destinations. If a source address is to be used for a specific
association, use the source parameter on the ntp peer or ntp server
command
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
20
Implementing the NTP Server


Cisco IOS routers work as an NTP server by default.
As soon as a router is synchronised to an authoritative time
source, the router allows peers with lower stratum to
synchronise to that router:
Requires a peer association


You can make a router an authoritative NTP server, even if
the system is not synchronised to an outside time source.
Two options to establish a peer association:
1. Unicast
2. Broadcast

Same exchange control methods as those methods used
with client:
Packet authentication
Access group filtering
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
21
Configuring the NTP Server
Router(config)#
ntp peer ip-address [normal-sync][version number] [key
keyid] [source interface] [prefer]
• Forms a peer association with another system
Router(config)#
ntp master [stratum]
• Makes the system an authoritative NTP server
Router(config-int)#
ntp broadcast [version number][destination address][key keyid]
• Configures an interface to send NTP broadcast packets
R2(config)#ntp peer 10.1.1.1 key 1
R2(config)#ntp master 3
R2(config)#interface Fastethernet0/0
R2(config-int)#ntp broadcast
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
22
NTP Configuration Example
Source(config)#ntp
Source(config)#ntp
Source(config)#ntp
Source(config)#ntp
master 5
authentication-key 1 md5 secretsource
peer 172.16.0.2 key 1
source loopback 0
Intermediate(config)#ntp authentication-key 1 md5 secretsource
Intermediate(config)#ntp authentication-key 2 md5 secretclient
Intermediate(config)#ntp trusted-key 1
Intermediate(config)#ntp server 172.16.0.1
Intermediate(config)#ntp source loopback 0
Intermediate(config)#interface Fastethernet0/0
Intermediate(config-int)#ntp broadcast
Client(config)#ntp authentication-key 1 md5 secretclient
Client(config)#ntp trusted-key 1
Client(config)#interface Fastethernet0/1
Client(config-int)#ntp broadcast client
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
23
ISCW-Mod5_L10
© 2007 Cisco Systems, Inc. All rights reserved.
24