Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1267
Views
0
Helpful
2
Replies

3750 switch NTP time syncronization triggers IPS

zheka_pefti
Level 2
Level 2

ā€Ž12-21-2011 10:47 AM - edited ā€Ž03-07-2019 04:00 AM

Hello network and may be security gurus,

I've beating my head against the the above said problem for  a quite a while. Our client has a very strict security policy and they require all standard protocol to comply with the expected behaviour. It was discovered that their 3750 switch running  c3750-ipservicesk9-mz.122-25.SEE3 software and configured to sync its time with an external public NTP server triggers IPS signature - DNS Info leak. The problem is that the switch initiates the packet on UDP port 53 and not as I would expect on port 123 for NTP. Of course I can tune the IPS sensor and make it not to fire this signature but the client needs to know why it is happening and if it is faulty IOS software that doesn't comply to the rules.

Labels:
0 Helpful
2 Replies 2

Edwin Summers
Level 3
Level 3

ā€Ž12-21-2011 10:57 AM

Forgive the stupid question, but is the switch using an external DNS server to resolve the NTP server address, when it should be using an internal server?

0 Helpful

zheka_pefti
Level 2
Level 2
In response to Edwin Summers

ā€Ž12-21-2011 11:10 AM

Well, the switch has never had any idea about DNS server as it is not configured with it. And secondly, as far as I understand NTP configuration on the IOS devices is supposed to use IP addresses only. You can't enter the FQDN for NTP server, i.e. nist.gov or something like this.

I have another question on NTP on the switch. It is 3750 switch with a number of L3 interfaces (VLANs) configured:

Vlan1                  unassigned     

Vlan10                 192.168.0.16   

Vlan12                 192.168.12.16  

Vlan13                 192.168.13.254 

Vlan14                 192.168.14.16  

Vlan20                 192.168.20.16  

Vlan24                 192.168.24.16  

Vlan28                 192.168.28.16  

Vlan32                 192.168.32.16  

Vlan101                192.168.101.16 

Vlan102                192.168.102.16 

Why do I see NTP packets originated from VLAN13 interface only, i.e. 192.168.13.254 ?

I don't have any source interfaces for NTP on the switch:

3750#sh run | inc ntp

ntp authentication-key 10 md5 XXXXXXXXXXXXXX 7

ntp authenticate

ntp clock-period 36028792

ntp access-group peer 11

ntp access-group serve-only 12

ntp server 192.5.41.41 prefer

ntp server 128.249.1.1

0 Helpful
Customers Also Viewed These Support Documents