netsec-sig - Re: [Security-WG] I2 - Turning off NTP?
Subject: Internet2 Network Security SIG
List archive
- From: Jeff Bartig <>
- To:
- Subject: Re: [Security-WG] I2 - Turning off NTP?
- Date: Tue, 25 Jul 2017 10:57:39 -0500
- Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=none action=none header.from=internet2.edu;
- Ironport-phdr: 9a23:qTEp1xNQ9IIApO6YkyMl6mtUPXoX/o7sNwtQ0KIMzox0IvryrarrMEGX3/hxlliBBdydsKMUzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZPebgFLiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0yRD+s7bpkSAXwhSkEOTA38G/YhcNugqxGrhKupQBww4/PbY6PKPZxZLnScc8ASGdDWMtaSixPApm7b4sKF+cPOfhXr4fzp1ATsBaxHxOsBP/uyj9Hm3T72q863P87HgHcwAwgHt0OvW/VrNXzKKcdT/q1zK/WwjXfcf9awyny55XVch04p/yHQLx+cc3UyUY1FgPFiE2dqZT7MDyLzOQNsm6b7+V9Wu20kWIotwZxoj23yscul4nJgIMVykja+iVj2oo1I8O3SFJ9bNW5E5VQrzmXO5VqTs4gWW1ltyc3xqcbtZO6ciUG0pcqyhDHZ/Cab4SF7QjvWPieLDp2nn5pZb2yihSo/US+1+HxWc+520tQoCVfiNnDrHUN2gTT6seZTvt9+V+s1y6T2g7U9u1IP1k4mLfdJZI/27IwkYEcvlrZEi/xhUX2kLSZdkI5+uiu9uvreK3mpoWbN49olA7xLrgums24AeQ+KAQOWHWb+fi41L3k+k35Q69GgeExkqncqJzaJMIbqbClAwJNzIov9xSyAy2p3dkZh3ULMVNIdRydg4XqNVzCOPX4Au2+g1Sonjdr3ffGPrj5D5XPNXfMiq3hfap8605T0wczzNZf545KBbEbJvL8RFPxuMLCAhAnLgO03v7rCM9h2YMGRWKPHqiZPbvJsVCW+u0vPvOMZI4JuDf9MvQk6fHugGQ9mV8cZqmpwYAXZG6iEvRnJUWZfWTjgs0HEWgUogoyUvbmh0OfXj5OND6OWPcn6zomEoO6HMLcSaishqCMxiG2AscQa2xbWX6WFnK9VYiKVb8mYTiOI8Apxj4OXKK9SoAJ1BeyuRX8xqY9aOfY53tL5trYyNFp6riLxlkJ/jtuApHF3g==
- Spamdiagnosticoutput: 1:0
Note that the
configuration examples on that page for operating as a client or a
server are identical. If you configure ntp on a Juniper, it starts
listening on the NTP port on all available IP addresses on the chassis.
ntpd has the ability to do application layer restrictions of who it
will serve, but JUNOS doesn't appear to expose that capability in the
router configuration. Currently, best practice is to restrict NTP port
access to trusted hosts via firewall filtering, often on the loopback
interface.
On 7/25/17, 9:07 AM, Steven Wallace wrote: Does this suggest they can be configured in client-only mode? https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/network-time-protocol-time-server-time-services-configuring-qfx-series.htmlOn Jul 25, 2017, at 9:59 AM, gcbrowni wrote: I wonder if anyone would be interested in engaging in a though experiment with me on turning off NTP on the routers? The Junipers, I believe, act as both clients and servers for NTP, with no options for disabling the server capability other than through filtering. I wonder, then, what the impact of simply disabling ALL NTP on the router would be? 1) I think you loose some convenance capabilities as you look through log files on the router, assuming non-trivial clock drift. You have to show system time to recall that the router thinks its yesterday, before looking at the log files on the box proper. 2) You loose the ability to easily correlate messages between routers if their clocks don’t match. I suspect this is mostly a non-issue since most(?) are sending logs to something like Splunk which can stamp the time for correlation purposes? IE: the you stamp on Splunk and only look at time correlated/aggravated messages on that box then why do you need accurate clock on the routers proper? 3) I suppose there’s a corner case of a corner case where you loose your Splunk logs, and thus correlation and are forced to correlate ‘by hand’ from the router logs proper. Anyone have thoughts or observations on this? I’m not proposing it be done, just asking some thought questions … is NTP still relevant on routers and/or does it justify the risk of running it? -G |
- [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Steven Wallace, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Spurling, Shannon, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/25/2017
- <Possible follow-up(s)>
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- RE: [Security-WG] I2 - Turning off NTP?, Anthony Brock, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/25/2017
- Message not available
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Montgomery, Douglas (Fed), 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Montgomery, Douglas (Fed), 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- RE: [Security-WG] I2 - Turning off NTP?, Anthony Brock, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Steven Wallace, 07/25/2017
Archive powered by MHonArc 2.6.19.