Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1990
Views
10
Helpful
2
Replies

Making NTP a little more secure

Go to solution
Stephen Carville
Level 1
Level 1

‎05-19-2017 02:15 PM

I have NTP working on a 4431 router and the latest pen-test dinged us because it responds to clients on the outside.  I currently synchronize using the ntp.org pool addresses which works but still lets any outsider query the router.  Right now the configuration is pretty basic and the router synchronizes via the external interface

ntp server 0.pool.ntp.org

I do have an internal ntp server and can create more if needed but this router is outside the firewall and only has access to the internal network via the management interface.  Can I use the management interface as the source for ntp traffic like I do for syslog traffic?

logging source-interface GigabitEthernet0 vrf Mgmt-intf
logging host 10.212.3.23 vrf Mgmt-intf

If worse comes to worse, I can get a couple of cheap AWS lightsail servers and turn them into NTP servers with authentication and iptables rules that stop any undesirable traffic.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johnd2310
Level 8
Level 8

‎05-19-2017 09:10 PM

Hi,

Yes, use your internal NTP server and source NTP from you mgmt interface. You can then disable NTP on the external interface using the interface command "ntp disable". You could also deny NTP on the external interface using an access list. Not sure what your internal NTP server is running, but you could also secure NTP by using authentication.

ntp source GigabitEthernet0
ntp server x.x.x.x


interface "external"
  ntp disable

Thanks

John

**Please rate posts you find helpful**

View solution in original post

2 Replies 2

Go to solution
johnd2310
Level 8
Level 8

‎05-19-2017 09:10 PM

Hi,

Yes, use your internal NTP server and source NTP from you mgmt interface. You can then disable NTP on the external interface using the interface command "ntp disable". You could also deny NTP on the external interface using an access list. Not sure what your internal NTP server is running, but you could also secure NTP by using authentication.

ntp source GigabitEthernet0
ntp server x.x.x.x


interface "external"
  ntp disable

Thanks

John

**Please rate posts you find helpful**

Go to solution
Stephen Carville
Level 1
Level 1
In response to johnd2310

‎05-22-2017 08:58 AM

Thank you.  That put me on the right track and it turned out to be simpler than I thought:

ntp server vrf Mgmt-intf ip.add.re.ss

Then disable ntp on the other interfaces and the auditors can go away happy and my routers are less likely to be abused in an ntp reflection DDOS.

0 Helpful
Customers Also Viewed These Support Documents