Detections
Analytics

6.7.5 Ensure Authentication Keys are used for all NTP Servers

Information

Authentication keys should be set for NTP Servers

Rationale:

Having established the need for NTP, it is essential to ensure that the devices time is not manipulated by an attacker as this could allow DoS to services relying on accurate time as well as replay attacks and other malicious activity.

NTP Version 3 introduced Authentication mechanisms for NTP messages using a Keyed Hash based Message Authentication Check (HMAC), where a hash of the message ensures both that the message is authentic and that it was not changed in transit. All JUNOS platforms support HMAC with NTP Versions 3 and 4 using MD5 and some platforms also support the more robust SHA1 and SHA2-256 algorithms.

It is strongly recommended that, as the MD5 and SHA1 algorithms are now considered deprecated, SHA2-256 based keys be used. In addition, to prevent compromise of one server leaking the keys for all NTP Servers, a different key should be used for each server. The use of SHA-256 and different keys per server are covered in separate Recommendations and not tested as part of the Audit Procedure for this Recommendation.

NOTE - Both the keys and the algorithm must match on all NTP peers being configured.

Impact:

If keys or algorithms do not match on NTP Servers and Client devices NTP will not be able to update and this could impact Logging, Authentication, Encryption/VPN or other services which rely on consistent time.

Solution

Keys are configured on a key ring and identified by an ID number. To add a key enter the following command from the [edit system ntp] hierarchy;

[edit system ntp]
user@host#set authentication-key <Key ID> type <algorithm> value <Key>

The <Key ID> is an arbitrary 32-bit non-zero integer used to identify this key locally on the device. The may be set to MD5 (the default), SHA1 or SHA2-256 (with SHA1 and SHA2 only being supported on some devices).
Next, for each server, configure the key to be used:

[edit system ntp]
user@host#set server key <Key ID>

Finally configure the key as trusted so that the router will accept NTP traffic encrypted using it. This mechanism provides an easy method to retire keys in the event of compromise. Enter following command from the [edit system ntp] hierarchy;

[edit system ntp]
user@host#set trusted-key <Key ID>

The <Key ID> which is trusted can be one key or several keys by enclosing the list in square brackets or repeating the command.

Default Value:

By default Juniper routers do not have NTP servers configured and use locally managed time.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AU-8, 800-53|IA-5, 800-53|IA-5(1), CSCv7|6.1, CSCv7|16.4

Plugin: Juniper

Control ID: 1c6b0c20149491a1a314d6a49c7a58e2b94604523b662687cb481e58ab938f4b