Image generated by OpenAI's DALL·E
In the world of information security and IT security, time is of the essence. Whether it's synchronizing transactions in financial systems, logging events in networks, or timing distributed systems, accurate timing is essential.
This is where Network Time Protocol (NTP) time servers come into play, ensuring that all devices on a network use a consistent time. But why is the Stratums concept in these servers so crucial and what impact does it have on information security?
What is a stratum?
Before we delve into the meaning of the stratum, it is important to understand what a stratum actually is. In the architecture of the Network Time Protocol (NTP) there is a clearly defined hierarchy of time servers, which are divided into so-called strata. These strata are used to describe the relationship and proximity of the servers to the primary time source.
At the top of this hierarchy are the Stratum 1 servers, which are considered the highest level. These servers get their time directly from highly accurate sources such as atomic clocks or GPS signals. They are, so to speak, the gold standard in time measurement.
The Stratum 2 servers then synchronize with the Stratum 1 servers, meaning they get their time from these highly accurate sources. In this way they form the second level of the hierarchy.
This pattern continues, with each successive stratum server sourcing its time from a server in the previous stratum. The higher the stratum, the further away the time server in question is from the primary time source.
Each additional time server “changes” this time of the reference clock slightly into the negative - in order to be able to display this, every NTP server has this so-called stratum.
A system with stratum 1 has a time inaccuracy of around 10 μs to the reference time, each additional server adds around 0.5 to 100 ms of time inaccuracy - so not only an NTP server with the lowest possible stratum should be chosen, but also all clients use the same NTP server.
It is important that the highest possible stratum in an NTP network is stratum 16. A Stratum 16 server indicates that no connection was made to another time server and therefore no time information was received.
It should be noted here - Stratum 16 means there is NO time synchronization and is therefore not suitable as a time source.
NTP pools play a crucial role for companies that need a stable source of time. Not only do they offer a variety of public servers distributed worldwide, but also high availability and redundancy. By connecting to an NTP pool, companies can ensure that their systems are always synchronized with an accurate time, which in turn is essential for the smooth and reliable functioning of their applications and security protocols. Using NTP pools allows companies to easily provide a stable time source without the need for their own dedicated time servers. However, it is important to consider their trustworthiness and security when selecting NTP pools to minimize potential security risks.
In ISO 27001, A.12.4.3 emphasizes the importance of a reliable time service. This relates directly to the needs for accurate time stamping of data and events, which in turn is an integral part of information security. Time compliance is considered essential to the integrity and confidentiality of data, as it plays a critical role in, for example, reviewing logs, tracking events, and monitoring access.
BSI IT-Grundschutz – several blocks for correct time synchronization (e.g. OPS.1.1.5.A1)
ISO/IEC 27001 – specific request for synchronization from a defined reference time source (A.12.4)
PCI DSS – specific requirement for synchronization of all critical system clocks (requirement 10.4)
A dedicated NTP server is considered a preferable solution in this regard to ensure that the organization has control over its time source and can ensure the accuracy of the timestamps in its systems. By using their own NTP server, companies can also minimize potential risks associated with external time sources such as NTP pools or public time servers and increase the security of their IT infrastructure.
Now what is the impact?
In many applications, the accuracy of the Network Time Protocol (NTP) to milliseconds is sufficient to ensure efficient synchronization of system time. This level of accuracy is sufficient for most IT systems to perform their tasks, and many applications work perfectly without requiring higher levels of accuracy or even running time synchronization.
Even in environments where more precise timekeeping is required, such as in the financial industry or in high-frequency trading environments, systems can often temporarily handle less precise timing without causing immediately noticeable problems. Only when sufficiently precise time measurement is required for specific requirements or when problems related to time accuracy arise does the importance of an accurate and reliable time source become clear.
However, this supposed obviousness also carries a risk: Due to the sufficient accuracy of NTP, it is often not given the attention it deserves. Many devices are configured by default to get the time from public time servers, such as "pool.ntp.org", and thus synchronize their time - often without ever having reached it in practice, as this communication is on the firewall Is blocked.
But what happens if one of these time servers is unavailable or returns incorrect time information? In such cases, there is a risk that the NTP system will believe incorrect time information and slowly adjust the clock accordingly. Depending on the configurations and the intervals between time requests, it can take hours or even days for the system to correct the incorrect time.
How do attackers take advantage of this?
Now let's look at the perspective of an attacker exploiting the vulnerabilities of a misconfigured NTP server. Suppose an attacker has successfully manipulated the time on one of your devices so that the time is suddenly five years in the future. What benefit could the attacker derive from this manipulation?
First of all, such a time difference would have a significant impact on the security and smooth operation of your network. Many of your security mechanisms and routine operations are closely tied to system time, and getting the time wrong could have disastrous consequences:
Password Policies: Most of your passwords would suddenly expire
SSL Certificates: All your SSL certificates would suddenly expire
IPSEC Tunnels: Your IPSEC tunnels would be down and refuse to restart
Backups and log files: Many of your backups and log files would be considered “expired” and deleted, resulting in loss of important data and impacting your disaster recovery capabilities. The historical data required for monitoring, analysis and compliance would no longer be available, potentially having a serious impact on your operations and your ability to forensically investigate security incidents.
What should I do?
In conclusion, properly configuring and monitoring the Network Time Protocol (NTP) is critical to an organization's information security. Manipulation of the system time can have serious implications for the security, stability, and integrity of the network, as we have seen with the potential consequences of a faulty NTP server.
To minimize such risks, companies should implement best practices when dealing with NTP. This includes:
Use of multiple NTP servers: It is ideal to use at least three NTP servers, with at least one in your own network operating at Stratum 1 to ensure a reliable and redundant time source.
NTP Configuration Guidelines: A clear policy should be established that all devices on the network must be properly configured with NTP to ensure accurate timekeeping.
NTP configuration monitoring: The NTP configuration of all devices on the network should be checked regularly to ensure that it meets security standards and that there are no deviations.
It is important to note that NTP itself also supports security mechanisms such as authentication to ensure the integrity and security of the time service. Although these aspects have not been covered in detail here, it is advisable to learn about advanced security features of NTP and implement them if necessary.
In conclusion, NTP is a crucial element of information security that cannot be neglected. By implementing best practices and regular monitoring, companies can ensure the reliability and integrity of their time source, effectively protecting themselves from potential security risks. However, it is important to be aware that NTP security is a complex issue and continues to require advancements to address ever-changing threats.
Comments