22.5. Network Time Protocol (NTP)
NTPallows you to set the clocks on your systems very accurately, towithin 1 to 50 ms of the time on a central server. Knowing the exacttime is extremely important for certain types of applications andprotocols:
- It's much easier to correlate information from multiplemachines (log files, for example, when analyzing a break-in attempt)when all the clocks on those machines are synchronized. It'shelpful to know exactly who was attacked, and in what order, ifyou're going to understand what the attacker was after -- and what might be coming next.
- Some security protocols depend on anaccurate source of time information in order to prevent"playback" attacks. Such protocols tag theircommunications with the current time, so that those samecommunications (e.g., a login/password interaction or even an entirecommunication) can't be replayed at a later date as part of anattack. This tagging can be circumvented if the clock can be set backto the time the communication was recorded.
NTP servers communicate with other NTP servers in a hierarchy todistribute clock information. The closer a system is to a referenceclock (an atomic clock, radio clock, or some other definitive clock),the higher it is in the hierarchy. Servers communicate with eachother frequently to estimate and track network delay betweenthemselves, so that this delay can be compensated for. NTP clientscan track network delay the same way servers do or can simply askservers for the current date and time without worrying aboutcompensating for communication delays.
NTP is provided with several vendors' versions of Unix; a fewvendors (notably Silicon Graphics) include services based on theolder Time protocol instead of or in addition to NTP. NTP is notprovided with Windows NT but is supported bytimeserv, which is part of the Server ResourceKit.
By default, NTP does not include any authentication; as a result,it's easy for an attacker to forge packets with incorrect timesettings. It's possible to use authentication starting inNTPv3, and you should do so.
22.5.1. Packet Filtering Characteristics of NTP
NTP is a UDP-based service. NTP servers use well-known port 123 totalk to each other and to NTP clients. NTP clients use random portsabove 1023. As with DNS, you can tell the difference between thefollowing:
- An NTP client-to-server query
- Source port above 1023, destination port 123
- An NTP server-to-client response
- Source port 123, destination port above 1023
- An NTP server-to-server query or response
- Source and destination ports both 123
Unlike DNS, NTP never uses TCP, and NTP has no analog to the DNS zonetransfer operation.
NTP servers may also talk to each other using broadcast or multicast;the multicast address 224.0.1.1 is reserved for this purpose.
| Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | Notes |
|---|---|---|---|---|---|---|
| In | Ext | Int | UDP | >1023 | 123 | Query, external client to internal server |
| Out | Int | Ext | UDP | 123 | >1023 | Response, internal server to external client |
| Out | Int | Ext | UDP | >1023 | 123 | Query, internal client to external server |
| In | Ext | Int | UDP | 123 | >1023 | Response, external server to internal client |
| In | Ext | Int | UDP | 123 | 123 | Query or response between two servers |
| Out | Int | Ext | UDP | 123 | 123 | Query or response between two servers |
| In | Ext | 224.0.1.1 | UDP | 123 | 123 | ulticast query or response from an external server |
| Out | Int | 224.0.1.1 | UDP | 123 | 123 | ulticast query or response from an internal server |
Figure 22-1 shows how packet filtering works withNTP.
Figure 22-1. NTP with packet filtering
22.5.2. Proxying Characteristics of NTP
As a UDP-based application, NTP can't be proxied by SOCKS4 butcan be used with the UDP Packet Relayer or SOCKS5. Because NTPemploys a hierarchy of servers, it can be configured to run on abastion host without using explicit proxying, as shown later in thischapter.
22.5.3. Network Address Translation Characteristics of NTP
NTP does not use embedded IP addresses and will work transparentlywith network address translation.
22.5.4. Configuring NTP to Work with a Firewall
Do you really need to configure NTP towork with a firewall? That's your first decision. You may notneed to if either of the following cases is true at your site:
- If you have an accurate source of time within your internal network -- for example, a radio clock receiving time signals from theNational Bureau of Standards atomic clocks on one of their radiostations (or the equivalent from non-U.S. standards organizations),or a satellite clock receiving data from the Global PositioningSystem (GPS) satellites.
- If you're more worried about having time be consistentwithin your network thanbetween your network and the outside world.
In either of these cases, you don't need to run NTP across yourfirewall; you can simply run it internally.
If you do want to run NTP across your firewall, the best way is toset up an NTP server on a bastion host that talks to multipleexternal NTP servers and another NTP server on some internal hostthat talks to the bastion host. (You want the bastion host to talk tomultiple external NTP servers because it increases accuracy and makesit harder to fool.) Next, configure internal NTP clients and otherinternal NTP servers to talk to the internal server that talks to thebastion server. You need to configure any packet filtering systembetween the internal server and the bastion host to allow thefollowing:
- Queries from the internal NTP server to the bastion host NTP server
- UDP packets from port 123 on the internal server to port 123 on thebastion host
- Answers from the bastion host NTP server to the internal NTP server
- UDP packets from port 123 on the bastion host to port 123 on theinternal host
22.5.5. Summary of Recommendations for NTP
 |  |  |
| 22.4. ICMP and Network Diagnostics |  | 22.6. File Synchronization |
Copyright © 2002 O'Reilly & Associates. All rights reserved.
