Solved: Secure NTP Server

Mokhalil82 · ‎09-06-2018

Hi

We want to setup a NTP Server that can supports authentication. Currently all the network devices use the DC as a NTP server which does not support authentication from what I have been told.

NTP authentication is required as part of our security audits.

What do others use for NTP authentication?

LJ Gabrillo · ‎09-06-2018

You can try:

1. The built-in w32tm service in any windows machine. You do need to tweak registry codes in order for it to support cisco devices. Check this: https://learningnetwork.cisco.com/thread/36181

2. If you're a linux guy try Linux Servers. It's free and supports your requirement. Complex though. I wont share the link here since it's a bit complex. I don't even use considering you have an authentication requirement

3. Cisco routers can be set to be your NTP servers as well. Here's a simple guide
https://www.freeccnaworkbook.com/workbooks/ccna/configuring-the-cisco-ios-ntp-server

If you want to add authentication, use the ff. commands on your server and client
#conf t
#ntp authenticate
#ntp authentication-key 1 md5 <DESIRED KEY>
#ntp trusted-key 1

4. 3rd party software that is installed on your computer, heck just google NTP Software and you'll see a bunch of results, Meinberg NTPd, is a common one.

All should meet your requirements i.e., authentication, I would stick to the software though, it's a bit easier. There's a UI

View solution in original post

LJ Gabrillo · ‎09-07-2018

"I was thinking of using a router in each of the 2 DCs as a NTP server (primary and secondary) which syncs its clock with an external source. "

Yes this is possible and is actually the current setting: By default all domain-computers NTP is the active-directory, the Active-Directory syncs their time with time.windows.com, the external source your are talking about.

"...All the site routers sync with the DC routers, and the site switches sync with the site routers. So a hierarchical setup"
This one is on your network equipment side: As far as I understand you have two(2) routers in your head-office, and router or routers per site. You can set them up in hierarchy as well

Two routers in Head-Office sync their time with an external source, provide NTP to the site routers
Site router sync their time with the primary router, backup secondary router.

Site devices sync their time with their respective site router

The Head-Office routers are set to Stratum 3, while the site office is set to Stratum 4

PS: Stratum defines the authoritativeness of an NTP server. The lower the number the more authoritative it is. Dont go lower than 3

View solution in original post

LJ Gabrillo · ‎09-06-2018

You can try:

1. The built-in w32tm service in any windows machine. You do need to tweak registry codes in order for it to support cisco devices. Check this: https://learningnetwork.cisco.com/thread/36181

2. If you're a linux guy try Linux Servers. It's free and supports your requirement. Complex though. I wont share the link here since it's a bit complex. I don't even use considering you have an authentication requirement

3. Cisco routers can be set to be your NTP servers as well. Here's a simple guide
https://www.freeccnaworkbook.com/workbooks/ccna/configuring-the-cisco-ios-ntp-server

If you want to add authentication, use the ff. commands on your server and client
#conf t
#ntp authenticate
#ntp authentication-key 1 md5 <DESIRED KEY>
#ntp trusted-key 1

4. 3rd party software that is installed on your computer, heck just google NTP Software and you'll see a bunch of results, Meinberg NTPd, is a common one.

All should meet your requirements i.e., authentication, I would stick to the software though, it's a bit easier. There's a UI

LJ Gabrillo · ‎09-06-2018

If ever you are using a Cisco Router as your NTP server, make sure to choose a router that has a hardware clock in it, in case it reboots, it will still maintain the time. You can verify if a router has a hardware clock using the command "show calendar" if the command doesnt exist or does gets rejected, then that device has no hardware clock

Mokhalil82 · ‎09-07-2018

Thankyou for the info.

I was thinking of using a router in each of the 2 DCs as a NTP server (primary and secondary) which syncs its clock with an external source. Then all the site routers sync with the DC routers, and the site switches sync with the site routers. So a hierarchical setup.

Does this seem like a design to go for as it also supports authentication?

LJ Gabrillo · ‎09-07-2018

"I was thinking of using a router in each of the 2 DCs as a NTP server (primary and secondary) which syncs its clock with an external source. "

Yes this is possible and is actually the current setting: By default all domain-computers NTP is the active-directory, the Active-Directory syncs their time with time.windows.com, the external source your are talking about.

"...All the site routers sync with the DC routers, and the site switches sync with the site routers. So a hierarchical setup"
This one is on your network equipment side: As far as I understand you have two(2) routers in your head-office, and router or routers per site. You can set them up in hierarchy as well

Two routers in Head-Office sync their time with an external source, provide NTP to the site routers
Site router sync their time with the primary router, backup secondary router.

Site devices sync their time with their respective site router

The Head-Office routers are set to Stratum 3, while the site office is set to Stratum 4

PS: Stratum defines the authoritativeness of an NTP server. The lower the number the more authoritative it is. Dont go lower than 3

LJ Gabrillo · ‎09-07-2018

If you want more details about what a Stratum is, check this link:
https://ntpserver.wordpress.com/2008/09/10/ntp-server-stratum-levels-explained/