Solved: Re: NTP Server problem.

Nishan Thevathason · ‎11-27-2018

Hello Experts,

I hope you all are doing great.

We have a Ntp server in a customer local network and we want to sync that Ntp server with Global Ntp server, the Ntp traffic will traverse through the Cisco ASA, So i just want to know what is the Best practice we ever used while we are creating rules for inbound or outbound traffic on ASA for Ntp.

Currently we are using below rules for Ntp traffic on ASA.

access-list Outside-to-Inside extended permit udp any host 10.x.x.x eq ntp
access-list Inside-to-Outside extended permit udp host 10.x.x.x any eq ntp

Thanks in advance.

Marvin Rhoads · ‎11-28-2018

The "any" doesn't affect who can originate traffic from outside. It only allows the trusted inside ntp server to use any public server.

Only the return flows from the public ntp servers that your trusted server has selected will be allowed from outside to inside.

View solution in original post

Marvin Rhoads · ‎11-28-2018

Best practice varies according to your risk profile.

Ultra secure is a dedicated NTP appliance with antenna to GPS satellites. They encode precise timing and a dedicate appliance can derive NTP from that.

Anything Internet-based is less secure.

The next most secure would be a hardened Linux server running minimal services.

In the middle would be what many organizations do - distribute NTP from a core switch or other network device.

Less (least?) secure would be running a Windows server with NTP server enabled.

In all the Internet-based cases, if your trusted server is only configured to use a well-known (or few well-known) public ntp server(s) then your attack scenarios would have to be someone taking over thoise servers and targeting you (or the whole Internet) in an ntp-based attack. Most people would consider that a very unlikely scenario.

You could further lock it down by doing only authenticated ntp, however you have to register or subscribe for such services.

View solution in original post

Sheraz.Salim · ‎11-27-2018

my opinion

access-list Outside-to-Inside extended permit udp any host 10.x.x.x eq ntp

however, if you know the ntp server ip address than create a object-group and match it with that.

for example.

Object-group NTP-SERVER

object-network host x.x.x.x.x

!

access-list Outside-to-Inside extended permit object-group NTP-SERVER host 10.x.x.x eq ntp

please do not forget to rate.

Marvin Rhoads · ‎11-27-2018

If the ntp requests originate from inside, you don't need the outside-to-inside acl.

The ASA is a stateful firewall and will recognize the return traffic as part of a udp flow that it has in the state table.

venkat_n7 · ‎11-27-2018

that's good point.

Please rate comments and support
with regards,
Venkat

Nishan Thevathason · ‎11-28-2018

Hello Marvin Rhoads,

I appreciate your Solution but my question is, how i permit the traffic for this 10.x.x.x(local Ntp server) on ASA to sync with global Ntp servers, do i use the public IP address of global Ntp server as a Destination IP in access rule or do i allow any destination with UDP 123.

Marvin Rhoads · ‎11-28-2018

If you want to restrict the local ntp server to using one and only one public (global) ntp server then specify that public ntp server as the destination ip.

If the internal server points to an FQDN (like pool.ntp.org which resolves to multiple IP addresses) or you want to allow them to use any public ntp server without requiring further firewall ACL changes then use "any" as the destination ip.

Nishan Thevathason · ‎11-28-2018

Thanks Marvin,

I want to point the internal server points to an FQDN (like pool.ntp.org which resolves to multiple IP addresses) but i want to ensure, if there is any chance of any cyber attack, or it is safe to use "any" destination with udp 123.

Marvin Rhoads · ‎11-28-2018