1.6.1 Configure at least 3 external NTP Servers - ntp source-interface

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Accurate time is a critical piece of security infrastructure. Without accurate time on all infrastructure, it is complex or even impossible to correlate events from multiple sources to get an accurate view of a security incident or technical issue. Using multiple sources gives redundancy in time sources. In most infrastructures, for efficiency only a small subset of devices (often a redundant pair of routers or switches) will use redundant external time sources. All other infrastructure will then synchronize time from them. This also means that any perimeter firewalls can be configured to limit NTP requests to the public internet to just those sources and destinations. The exception would of course be if the organization has an on-premise, internal atomic or GPS based network time source. Even in those situations an tiered NTP infrastructure is generally recommended on the internal network.

Rationale:

Accurate time is a critical piece of security infrastructure. Without accurate time on all infrastructure, it is complex or even impossible to correlate events from multiple sources to get an accurate view of a security incident or technical issue. Also, without accurate time authentication issues can arise. If an attacker can influence the NTP traffic, it is possible to 'back-date' NTP responses to permit the use of older certificates, or 'forward-date' NTP responses to invalidate any certificates in use on the device. Using multiple sources gives redundancy in time sources. If a management network is in use in the infrastructure, using the management VRF to source time can help to protect NTP response traffic from tampering. It is key to set an NTP source interface, so that any perimeter devices can be configured to permit NTP requests from those IP addresses, and to restrict NTP requests to a list of authorized IP addresses. Be sure that this is a 'reliable' interface. In many cases this means using a loopback interface, so that any of several interfaces can be used to route the request to the NTP server. If a non-loopback interface is used, understand that if that interface is in a down state then NTP requests will not be sent.

Impact:

Accurate time is a critical piece of security infrastructure. Without accurate time on all infrastructure, it is complex or even impossible to correlate events from multiple sources to get an accurate view of a security incident or technical issue.

Solution

If the default VRF is used (note that the IP addresses are for demonstrations purposes only, production configurations will likely vary):

switch(config)#ntp server 13.86.101.172 use-vrf default
switch(config)#ntp server 132.163.97.6 use-vrf default
switch(config)#ntp server 132.246.11.231 use-vrf default
switch(config)#ntp source-interface loopback1

If a management VRF is used:

switch(config)#ntp server 13.86.101.172 use-vrf management
switch(config)#ntp server 132.163.97.6 use-vrf management
switch(config)#ntp server 132.246.11.231 use-vrf management
switch(config)#ntp source-interface loopback1



Default Value:

NTP settings are not in the default confguration, they must be added. If a source VRF is not specified, the default VRF is used If a source interface is not specified, the interface that is topologically closest to the NTP service is used.

See Also

https://workbench.cisecurity.org/files/3102