Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] I2 - Turning off NTP?

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] I2 - Turning off NTP?


Chronological Thread 
  • From: "Spurling, Shannon" <>
  • To: "" <>
  • Subject: Re: [Security-WG] I2 - Turning off NTP?
  • Date: Tue, 25 Jul 2017 14:19:00 +0000
  • Accept-language: en-US
  • Ironport-phdr: 9a23:QFF63RZMuFu0EglwgmsyDK//LSx+4OfEezUN459isYplN5qZr8m8bnLW6fgltlLVR4KTs6sC0LuG9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQtFiT6+bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjmk8qxlSgLniD0fOjA57m/Zl9BwgqxYrhKvpRN/wpLbb46OOfVkYq/df8kXSXZdUstRUSFKH4Oyb5EID+oEJetUoZTzp0MTrRukAQmsBeXvyjBQinTrwKM60/4uEQfA3AwnGdICvmnfodLuNKcSS++1yq/IzTLFb/5N3Df975LIfQ47rfGKQ71wbdPcxE8yHA3LiVWQrJbqPzKT1ukVsWib8uxgVeO3i2E5sQF9uD6vydkwioTPm4kbyUjE+D1kzIsxJtC0UlB3bcKgHZdKuCyXM5F6Tt0sTm12oCo2178LtJGhcCQX1pgqxwTTZv+af4SS/x7uVeWcLS9liH9he7+znQi+/VSkx+HmVsS50UxGojdBn9TKq3sDzQbc6tKdRft45kqh2SiA1wTU6uxcPEA0kLPXK4Igwr4oiJYfq1nDHirslEXria+WbUUl+vO06+v5Z7XqvIGTOJJpig3mM6QunNKwAfggPwQTW2WW+v6w2KP/8UD9WrlHgfk7nrPHvJ3UO8gXvqu5DBVU0oYn5Ra/FTCm0NEAkHkcLFJKYhSHj47uO1HIO/34CPC/g06ynztxwfDJIKHhDo3XLnffiLfhYap960lExQoo099Q+49UCqsAIPLvWk79rdLZDhAiPgywwubnE8l91pgAVW6VA6+ZNr/SvkGS5uIpPeaMeJEZtCzjJPc4+v69xUM+zBUGcKK0x5oLeTWnEdxnJVmUe3zhno1HHGsX9EJqV+HhlUeDTS8WeHmaXqQg6ys9BZ78S4rPW9b+rqaG2XLxJYVLfGRHDF/IWUzofoOCXPFGIHaJIsZnlDsCfb2mUYJn0xyy4lypg4F7J/bZr3VL/ano08J4srXe

If you can't configure purely client mode, keep anyone from talking to the NTP port on the system. Only NTP requests to the router should use that port. All requests from the router should come from higher number ports, right? I think you can put an access list on the control plane to limit that. When I see source and destination ports match, I always think someone is up to something.

I'd be worried that something in the chain between the logging server and the source might cause variance in time stamps at the server when an issue occurred. I'd think you want the time stamp as close to the actual source of the log to be as accurate as possible. 


From: <> on behalf of Steven Wallace <>
Sent: Tuesday, July 25, 2017 9:07:40 AM
To:
Subject: Re: [Security-WG] I2 - Turning off NTP?
 
Does this suggest they can be configured in client-only mode?

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/network-time-protocol-time-server-time-services-configuring-qfx-series.html


> On Jul 25, 2017, at 9:59 AM, gcbrowni <> wrote:
>
> I wonder if anyone would be interested in engaging in a though experiment with me on turning off NTP on the routers?
>
> The Junipers, I believe, act as both clients and servers for NTP, with no options for disabling the server capability other than through filtering. I wonder, then, what the impact of simply disabling ALL NTP on the router would be?
>
> 1) I think you loose some convenance capabilities as you look through log files on the router, assuming non-trivial clock drift. You have to show system time to recall that the router thinks its yesterday, before looking at the log files on the box proper.
>
> 2) You loose the ability to easily correlate messages between routers if their clocks don’t match. I suspect this is mostly a non-issue since most(?) are sending logs to something like Splunk which can stamp the time for correlation purposes? IE: the you stamp on Splunk and only look at time correlated/aggravated messages on that box then why do you need accurate clock on the routers proper?
>
> 3) I suppose there’s a corner case of a corner case where you loose your Splunk logs, and thus correlation and are forced to correlate ‘by hand’ from the router logs proper.
>
> Anyone have thoughts or observations on this? I’m not proposing it be done, just asking some thought questions … is NTP still relevant on routers and/or does it justify the risk of running it?
>
> -G
>
>
>
>




Archive powered by MHonArc 2.6.19.

Top of Page