manse

I am not clear whether finding ntp services running on your routers is an issue, or is just a surprise. @Cristian Matei is exactly right that when you configure the router with ntp server so that your router will learn authoritative ntp time, then ntp services are inherently started on your router. If that is an issue, and if you want to restrict your router to learning ntp time but not sharing ntp time then you should look into configuring ntp access groups to limit what your router will do.

Hi Matei,

We have configured NTP Client (NTP server x.x.x.x) only.

Internal security scan you found your router is vulnerable for ntp mode 6 vulnerability ( ntp mode 6 Botnet infections/vulnerable services ).

Internet Security found NTP service is running for Internet routers.

Regards

Manse

Hi Georg,

Please suggest which version we need to IOS upgrade, 

Any other suggestion acl or IOS upgrade 

Thanks 

Hi Georg,

Please suggest which version we need to IOS upgrade, 

Any other suggestion acl or IOS upgrade 

Thanks 

 - IOS Is known to have security bugs concerning NTP ; alternative architecture would be Intranet-NTP server/services  -> DMZ-Ntp server -> ISP-Ntp services. Benefit also is that the NTP architecture becomes separate from routing and switching services.

 M.

Hi 

We have test with tool and we have received router and switch NTP services are running.

4 devices are synchronized with outside NTP server : NTP server 132.163.96.5

Kindly find attachment file.

Hi,

   An IOS upgrade will not make UDP port 123 to be closed. You have the following options, from recommended to least recommended:

       1. use internal NTP servers, and have an inbound ACL on your ISP facing interface, where you drop traffic destined to the router on UDP 123

      2. use external NTP servers, and configure ZBFW with a self-->outside policy, where you inspect egress NTP packets sot that only return packets are allowed, so the Internet NTP servers cannot initiate a session towards your router

     3. use external NTP servers, and have an inbound ACL on your ISP facing interface, where you allow NTP traffic ONLY from your configured NTP servers.

Regards,

Cristian Matei.

Manse has explained that the issue is that their security team has run a scan and has identified a vulnerability associated with running ntp on their router. I do not believe that any of the suggestions from @Cristian Matei really address this. I believe that there is one other alternative to consider which is to configure ntp access groups which can limit (or prevent) the router providing ntp time to any other devices. And I am not clear whether this suggestion would be adequate to satisfy their security team.

Hi,

  @Richard Burts  "ntp mode 6 Botnet infections/vulnerable services" is a generic message, it is not really bound to a specific attack vector; it's pretty much saying that he's running NTP, which we know is vulnerable. The solution is for him to run a stable good, which "guarantees' less bugs and apply a solution to secure the NTP service as best as possible; alternatives would be the ones i mentioned or the NTP access-class, as you specified.

  The moment you expose your router to the Internet for NTP, you can just forget about the security and stability of that device. You could combine it with CPPr to save the CPU, but you're still vulnerable, as this is how NTP is.

Regards,

Cristian Matei.

Hi

I am total confused ?

My internal server are ntp synchronized with internet Router1 and Router2

My internet Routers and Switchs are ntp synchronized with Outside NTP server.

Internal security scan you found your router is vulnerable for ntp mode 6 vulnerability ( ntp mode 6 Botnet infections/vulnerable services ).

We are found 4 devices NTP services running.

Hi,

    You just need to secure the NTP service, as now it's wide open and anyone can access it. You were given couple of options above.

Regards,

Cristian Matei.