Detections
Analytics

6.7.6 Ensure Different Authentication Keys for each NTP Server

Information

Different authentication keys should be set for each NTP Server

Rationale:

Having established the need for NTP, it is essential to ensure that the devices time is not manipulated by an attacker as this could allow DoS to services relying on accurate time as well as replay attacks and other malicious activity.

NTP Version 3 introduced Authentication mechanisms for NTP messages using a Keyed Hash based Message Authentication Check (HMAC), where a hash of the message ensures both that the message is authentic and that it was not changed in transit. All JUNOS platforms support HMAC with NTP Versions 3 and 4 using MD5 and some platforms also support the more robust SHA1 and SHA2-256 algorithms.

In high security environments, prevent the compromise of a single server or key undermining your entire NTP infrastructure by using different keys for each NTP Server configured.

This is significant additional configuration, but does increase the difficulty for an attacker who would now need to compromise multiple keys or servers and also allows any compromise to be quickly responded to, with the affected server immediately removed from production and re-keyed while the network continues to use the remaining server/s.

NOTE - Both the keys and the algorithm must match on all NTP peers being configured.

Impact:

If keys or algorithms do not match on NTP Servers and Client devices NTP will not be able to update and this could impact Logging, Authentication, Encryption/VPN or other services which rely on consistent time.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Keys are configured on a key ring and identified by an ID number. To add a key enter the following commands from the [edit system ntp] hierarchy:

[edit system ntp]
user@host#set authentication-key <Key ID> type <algorithm> value <Key>
user@host#set trusted-key <Key ID>

Set the keys for all configured NTP servers using the following commands under the [edit system ntp] hierarchy:

[edit system ntp]
user@host#set server <Servers IP> key <key ID>

If this device is operating as an NTP Server and has clients which use different keys or algorithms, these can be set with the peer option:

[edit system ntp]
user@host#set peer <Peers IP> key <key ID>

NOTE - The Key ID must also be listed in the trusted-key list to be accepted.

Default Value:

By default Juniper routers do not have NTP servers configured and use locally managed time.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AU-8, 800-53|IA-5, 800-53|IA-5(1), CSCv7|6.1, CSCv7|16.4

Plugin: Juniper

Control ID: 72a71f4c71a59e66d299ec3ae5145779726678de5bdef7baccdea02c92fbb25b