JUEX-NM-000430 - The Juniper EX switch must be configured to synchronize internal information system clocks using redundant authoritative time sources.

Information

The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.

Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.

DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: A time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.

Solution

Configure the network device to synchronize internal information system clocks with the primary and secondary time sources.

set system ntp authentication-key 1 type sha256
set system ntp authentication-key 1 value 'PSK'
set system ntp authentication-key 2 type sha1
set system ntp authentication-key 2 value 'PSK'
set system ntp server <address 1> key 1
set system ntp server <address 1> prefer
set system ntp server <address 2> key 2
set system ntp trusted-key 1
set system ntp trusted-key 2
set system ntp source-address <lo0 or OOBM address>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-8(1), 800-53|AU-8(2), CAT|II, CCI|CCI-004922, CCI|CCI-004923, CCI|CCI-004928, Rule-ID|SV-253920r997748_rule, STIG-ID|JUEX-NM-000430, Vuln-ID|V-253920

Plugin: Juniper

Control ID: b1541e6d159b3c457795a8a7c6c019e29092ba79f181221aa12ada294264374f