Firewall Wizards mailing list archives
NTp config - for the databases :}
From: Bret Watson <lists () bwa net>
Date: Thu, 12 Mar 1998 20:42:11
I remember a somewhat heated discussion on how to setup time services to prevent external mods of time.. Just finished an implementation for a client and had the resources to do it properly:} here is a listing of overkill in the NTp world... three server time1,2,3 each referencing six external stratum 1 clocks geographically dispersed with no overlap - i.e. 18 stratum 1's in total. Each server also peers with the other two. These servers provide stratum 2 reference for three C class nets totalling approx 300 machines - with an expected growth to around 5/600... For one particular lab, where the apps used are particularly finicky about time (for their licenses - not for the app would you beleive) another four machines refence the three servers and peer between themselves to provide four stratum 3 servers - these provide for a lab of 16 machines. Within the lab all sixteen machines reference the four servers and peer among themselves. THey are all on the same 10base2 cable. What does this mean in security terms? NTP is a udp protocol so prediction is not a problem, you just have to wait for the outgoing request and reply on that request. As this particular site has a single cable going out - its not hard to capture the total traffic. So where's the security? - the implementation used is the unix standard xntpd by David Mills et al. it implements a software pll with a pre-filtering of the incoming data to remove wildly varying clocks and teh weight data from the remaining based on their dispersion. So to spoof the references you will have to provide the same time and a good stability to the time data, you can't step the time, but you might be able to slow it down -this would require total control of the traffic, not just the ability to inject replies as these would clash with the data from the real clock and drop this ref out of the table. Once we had managed to take over the external clocks we would then have to change the time slowly enough so that the clocks on the stratum 3 and 4 machines would not complain, very difficult since we are efectivly dealing with a multi loop pll. We possibly could render all clocks insane by broadcasting false data to all machines, but then the machine would fall back to their own clocks. Furthermore we could put DES authentication between the stratums - removing that possibility. The result? I feel that NTP is very secure, even in its 'insecure' mode. Cheers, bret Technical Incursion Countermeasures consulting () bwa net http://www.ticm.com/ ph: (+61)(08) 9454 2487(UTC+8 hrs) fax: (+61)(08) 9454 6042 The Insider - a e'zine on Computer security http://www.ticm.com/about/insider.html
Current thread:
- RE: DNS -vs- the firewall: security thoughts Joe Ippolito - President SVNPA (Mar 11)
- NTp config - for the databases :} Bret Watson (Mar 12)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 12)
- Re: NTp config - for the databases :} Bret Watson (Mar 12)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 13)
- Re: NTp config - for the databases :} Bret Watson (Mar 13)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 12)
- Re: NTp config - for the databases :} Joseph S. D. Yao (Mar 13)
- Re: NTp config - for the databases :} John Painter (Mar 14)
- NTp config - for the databases :} Bret Watson (Mar 12)
- Firewall Audit Programme/checklist Bret Watson (Mar 16)
- Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 16)
- Re: Firewall Audit Programme/checklist Chad Schieken (Mar 16)
- Re: Firewall Audit Programme/checklist Bret Watson (Mar 17)