Network Haven

NTP Best Practices

2 min read

NTP Best Practices

Here are a few characteristics of of what a correct or valid NTP architecture should contain:

Security considerations

  • NTP is now a potential data exfiltration exploit.
  • NTP is a highly preferred DDoS mechanism. You don’t want your exploited systems to unknowingly be part of an attack on someone else.

Architectural considerations

  • You need to make the architectural decision to maintain NTP servers inside your network, or build dependency on all external NTP sources.
  • You must have 3 or more sources of NTP in your architecture.
    • 1 source won’t know when it is wrong.
    • 2 sources will tell you something is wrong, but you won’t know which is correct.
    • 3 sources enable you to know something is wrong, and know which source is wrong.
    • 4 sources give you N+1 redundancy for the 3 source requirement.
  • You should not allow TCP/UDP123 to flow unrestricted in and out of your internet connection
  • You need to make an architectural decision to operate precision NTP clocks or just NTP servers.
  • An NTP server is a software process that is dependent on other NTP sources to maintain precision.
  • An NTP clock is a high-precision hardware clock that provides accurate time to an NTP software process.

Windows Domain NTP

  • If you operate a Windows Domain, then the decision is made for you: you need internal NTP.
  • If you operate a Windows Domain your architecture should plan for all Active Directory members to drift together as a family.
    • Important to have consistent time across all servers for authentication within that bubble.
    • Logs are then also consistent across all devices within that bubble
  • Don’t tell your Windows clients to pull NTP from the internet and ignore your domain controllers. They all need to stay accurate to the PDCe.
  • Remember: anything that relies on Kerberos needs to stay within 5 mins of Domain Controller time or authentication will break.

Configuration

NTP Master

  • “ntp master” command is used to make the router act as an ntp server with it’s own hardware clock as a source.1
  • The “ntp server x.x.x.x” command (x.x.x.x being your ntp server address) should be enough to make the router act as an ntp server.1

References

Footnotes

  1. Solved: NTP Master Command - Cisco Community 2

Graphansicht