S 4.227 Use of a local NTP server for time synchronisation

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

In many situations, it is important in networked systems that all computers affected by a process have the correct system time. This is of particular importance when assessing logged information, for example to correctly correlate error messages indicating an attack over the network or when synchronisation problems arise in applications that are distributed among several computers. Distributed file systems and central authentication services also rely on a synchronised clock.

To set the system time correctly, most operating systems offer the option of accessing an external time server using NTP (Network Time Protocol Version 3, RFC 1305) or SNTP (Simple Network Time Protocol Version 4, RFC 2030). Windows computers in an Active Directory infrastructure also synchronise their system clocks with the clock of the domain controller.

There is a distributed infrastructure of public NTP time servers on the Internet. In Germany, for example, the Physikalisch-Technical Bundesanstalt (PTB) in Braunschweig as well as various universities offer such a service.

Since NTP is a clear text protocol without cryptographic protections, it should only be used in the organisation's own networks. If the time server infrastructure available in the Internet is to be used, a separate computer should be available for this purpose, and this computer should be the only one to receive the NTP information from the selected time servers. The computers in the local network then synchronise their system clocks with the local NTP proxy. On the security gateway, NTP should only be enabled for the NTP proxy server in this case. Under no circumstances should all devices be allowed to send individual NTP requests directly to time servers in the Internet, especially in networks with high protection requirements.

Alternatively, a computer in the internal network that is equipped with a radio clock module can be used as a local time server. When in doubt, this solution should be preferred.

If external sources (radio clocks, public NTP time servers, etc.) are used for time synchronisation, it must be ensured that the time information received is not accepted until it has been checked. The software of the local time server or of the NTP proxy must perform a plausibility check on the time information received before this information is passed on to the other computers in the network. An example of such a plausibility check is to check for large differences between the local time and the new time and reject the new time when a predefined maximum time difference is exceeded.

Review questions:

• Is the NTP synchronisation of the security gateway only performed using a central NTP proxy server?
• Is the time information received on the NTP proxy checked regularly for plausibility before the information is accepted and forwarded?
• Is NTP information provided by a separate NTP proxy server regularly synchronised with the time server infrastructure on the internet or by a radio clock module?