Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Dynamic Host Configuration Protocol wikipedia , lookup
Distributed firewall wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Wireless security wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Implementing Secure Converged Wide Area Networks (ISCW) ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 1 Configuring the NTP Client Lesson 10 – Module 5 – ‘Cisco Device Hardening’ ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 2 Module Introduction The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions. ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 3 Objectives At the completion of this tenth lesson, you will be able to: Explain how a router maintains an accurate time Describe NTP and how it is configured Configure NTP on a router as a server and a client Associate with NTP servers ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 4 Understanding NTP “Time has been invented in the universe so that everything would not happen at once” ‘The NTP FAQ and HOWTO’ - http://www.ntp.org/ntpfaq/ Many features in a computer network depend on time synchronisation, such as accurate time information in syslog messages, certificate-based authentication in VPNs, ACLs with time range configuration, and key rollover in routing protocol authentication (EIGRP and RIP) Most Cisco routers have two clocks: a battery-powered system calendar in the hardware and a software-based system clock These two clocks are managed separately ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 5 System Clock The heart of the router time service is the software-based system clock This clock starts to keep track of time from the moment the system starts The system clock can be set from a number of sources and can be used to distribute the current time through various mechanisms to other systems When a router with a system calendar is initialised or rebooted, the system clock is set based on the time in the internal batterypowered system calendar The system clock can then be set manually or by using the Network Time Protocol (NTP) - an Internet protocol used to synchronise the clocks of network connected devices to some time reference NTP is an Internet standard protocol currently at v3 and specified in RFC 1305 ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 6 UTC - GMT UTC (Temps Universel Coordonné or, in English, Coordinated Universal Time) is an official standard for the current time. UTC evolved from the former GMT (Greenwich Mean Time) that was previously used to accurately set the clocks on sailing ships before they left London for a long journey (very important to determine longitude and avoid navigational embarrassment…..) Later GMT was adopted as the world's standard time. It has now been replaced by UTC. One of the reasons that GMT has been replaced as official standard time was the fact that it was based on the mean solar time. Newer methods of time measurement showed that the mean solar time varied appreciably. The main components of UTC: Universal means that the time can be used everywhere in the world, It is independent from time zones (i.e. it's not local time). To convert UTC to local time, add or subtract the local time zone. Coordinated means that several institutions contribute their estimate of the current time, and UTC is built by combining these estimates. The UTC second has been defined by the 13th General Conference of Weights and Measures in 1967 as "The second is the duration of 9,192,631,770 periods of the radiation corresponding to the transition between the two hyperfine levels of the ground state of the cesium-133 atom." ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 7 Authoritative Time In a router, the system clock keeps track of time internally based on UTC (which, despite the comment in the curriculum is not technically the same as GMT…….) Information can be configured about the local time zone and daylight savings time so that the time appears correctly relative to the local time zone The system clock keeps track of whether the time is “authoritative” or not (that is, whether the time has been set by a time source that is considered to be “authoritative”) If the time is NOT considered authoritative, the time is available only for display purposes and is not redistributed within the network ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 8 NTP NTP is a protocol designed to time-synchronize a network of machines. NTP runs over UDP, which in turn runs over IP An NTP network usually obtains the time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronise two machines to within 1mS of one another As of early 2007, NTP v4 has not completed IETF standardisation. RFC 1305 documents NTP v3 Cisco devices support only RFC specifications of NTPv3 NTP uses the concept of a “stratum” to describe how many NTP “hops” away a machine is from an authoritative time source A “stratum 1” time server typically has a radio or atomic clock directly attached to the server; a “stratum 2” time server receives the time via NTP from a “stratum 1” time server, etc, etc. A machine that runs NTP automatically chooses the machine with the lowest stratum number to communicate with via NTP as the machine’s time source This strategy effectively builds a self-organising tree of NTP speakers ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 9 NTP NTP is careful to avoid synchronising to a machine whose time may not be accurate. NTP avoids doing so in two ways: 1. NTP never synchronises to a machine that is not synchronised itself 2. NTP compares the time that is reported by several machines and does not synchronise to a machine whose time is significantly different than the others, even if the machine’s stratum number is lower ISCW-Mod5_L10 The communications (known as “associations”) between machines that run NTP are usually statically configured; each machine is given the IP address of all machines with which the machine should form associations Accurate timekeeping is possible by exchanging NTP messages between each pair of machines with an association In a LAN environment, NTP can be configured to use IP broadcast messages instead • This alternative reduces configuration complexity because each machine can be configured to send or receive broadcast messages. • However, the accuracy of timekeeping is marginally reduced because the information flow is one-way only © 2007 Cisco Systems, Inc. All rights reserved. 10 NTP Security The time that a machine keeps is a critical resource, so the security features of NTP should be used to avoid the accidental or malicious setting of incorrect time Two mechanisms are available: 1. an ACL-based restriction scheme 2. an encrypted authentication mechanism. Time service for a network should be derived from the public NTP servers that are available on the Internet • If the network is isolated from the Internet, the Cisco implementation of NTP allows a machine to be configured so that the machine acts as though the machine is synchronised via NTP when in fact the machine has determined the time using other means. • Other machines then synchronise to that machine via NTP ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 11 NTP Association When multiple sources of time (eg, manual configuration) are available, NTP is always considered to be more authoritative NTP time overrides the time set by any other method An NTP association can be a peer association (this system is willing to either synchronise to the other system or to allow the other system to synchronise to it), or the association can be a server association (only this system will synchronise to the other system, and not vice versa) ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 12 NTP Basic Features - Overview A collected overview of NTP features: NTP needs some reference clock that defines the true time to operate. All clocks are set towards that true time. (It will not just make all systems agree on some time, but will make them agree upon the true time as defined by some standard) NTP uses UTC as reference time (NOT GMT…..) NTP is a fault-tolerant protocol that will automatically select the best of several available time sources to synchronise to. Multiple candidates can be combined to minimise the accumulated error. Temporarily or permanently insane time sources will be detected and avoided NTP is highly scalable. A synchronisation network may consist of several reference clocks. Each node of such a network can exchange time information either bidirectional or unidirectional. Propagating time from one node to another forms a hierarchical graph with reference clocks at the top Having available several time sources, NTP can select the best candidates to build its estimate of the current time. The protocol is highly accurate, using a resolution of less than a nanosecond (about 2^-32 seconds) Even when a network connection is temporarily unavailable, NTP can use measurements from the past to estimate current time and error For formal reasons NTP will also maintain estimates for the accuracy of the local time ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 13 Configuring NTP Authentication NTP services are enabled on all interfaces by default. To disable NTP on a specific interface, use the ntp disable command in the interface configuration mode. To authenticate the associations with other systems for security purposes, use the commands in the “NTP Authentication Commands” table (see next slide) ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 14 NTP Authentication Commands Command Description ntp authenticate Enables the NTP authentication feature. If this command is specified, the system will not synchronize to a system unless the system’s NTP messages carry one of the authentication keys that you specify in the ntp trustedkey global configuration command. ntp Defines an authentication key. Message authentication authentication-key support is provided using the MD5 algorithm. The key number md5 value type md5 is currently the only key type that this command supports. The key value can be any arbitrary string of up to eight characters. ntp trusted-key key-number Defines trusted authentication keys. The first command enables the NTP authentication feature. The second command defines each of the authentication keys. Each key has a key number, a type, and a value. Currently the only key type supported is md5. Finally, a list of trusted authentication keys is defined. If a key is trusted, this system is ready to synchronise to a system that uses this key in the system’s NTP packets ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 15 Configuring NTP Authentication Router(config)# ntp authenticate • Enables the authentication feature Router(config)# ntp authentication-key number md5 value • Defines the authentication keys • Used for both peer and server associations Router(config)# ntp trusted-key key-number • Defines the trusted authentication keys • Required to synchronise to a system (server association) R1(config)#ntp authentication R1(config)#ntp authentication-key 1 md5 NeVeRgUeSs R1(config)#ntp trusted-key 1 ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 16 Configuring NTP Associations To configure a router as an NTP client, either create an association to a server or configure the router to listen to NTP broadcast packets. ntp server: Although the router can be configured with either a peer or a server association, NTP clients are typically configured with a server association (meaning that only this system will synchronise to the other system, and not vice versa). To allow the software clock to be synchronised by an NTP time server, use the ntp server command in global configuration mode. ntp broadcast client: In addition to or instead of creating unicast NTP associations, the system can be configured to listen to broadcast packets on an interface-by-interface basis To do this, use the ntp broadcast client command in interface configuration mode ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 17 Configuring NTP Associations Router(config)# ntp server {ip-address | hostname} [version number] [key keyid] [source interface] [prefer] • Forms a server association with another system Router(config-if)# ntp broadcast client • Receives NTP broadcast packets R1(config)#ntp server 10.1.1.1 key 1 R1(config)#ntp server 10.2.2.2 key 2 prefer R1(config)#interface Fastethernet 0/1 R1(config-if)#ntp broadcast client ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 18 Configuring Additional NTP Options To control access to NTP services, in addition to packet authentication, a NTP access group can be created and a basic IP ACL applied to it To control access to NTP services, use the ntp access-group command in global configuration mode The access group options are scanned in the following order, from least restrictive to most restrictive: 1. peer: Allows time requests and NTP control queries and allows the system to synchronise itself to a system whose address passes the ACL criteria. This option is used in scenarios where either the local or the remote system can become the NTP source 2. serve: Allows time requests and NTP control queries but does not allow the system to synchronise itself to a system whose address passes the ACL criteria. This option lets you filter IP addresses of systems that can become clients of the local system from which NTP control queries will be permitted 3. serve-only: Allows only time requests from a system whose address passes the ACL criteria. This option lets you filter IP addresses of systems that can become clients of the local system from which NTP control queries will be denied 4. query-only: Allows only NTP control queries from a system whose address passes the ACL criteria ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 19 Configuring Additional NTP Options If the source IP address matches the ACLs for more than one access type, the first access type that is listed is granted. If no access groups are specified, all access types are granted to all systems. If any access groups are specified, only the specified access types are granted When the system sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Use the ntp source command in global configuration mode to configure a specific interface from which the IP source address will be taken ntp source interface This interface is used for the source address for all packets sent to all destinations. If a source address is to be used for a specific association, use the source parameter on the ntp peer or ntp server command ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 20 Implementing the NTP Server Cisco IOS routers work as an NTP server by default. As soon as a router is synchronised to an authoritative time source, the router allows peers with lower stratum to synchronise to that router: Requires a peer association You can make a router an authoritative NTP server, even if the system is not synchronised to an outside time source. Two options to establish a peer association: 1. Unicast 2. Broadcast Same exchange control methods as those methods used with client: Packet authentication Access group filtering ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 21 Configuring the NTP Server Router(config)# ntp peer ip-address [normal-sync][version number] [key keyid] [source interface] [prefer] • Forms a peer association with another system Router(config)# ntp master [stratum] • Makes the system an authoritative NTP server Router(config-int)# ntp broadcast [version number][destination address][key keyid] • Configures an interface to send NTP broadcast packets R2(config)#ntp peer 10.1.1.1 key 1 R2(config)#ntp master 3 R2(config)#interface Fastethernet0/0 R2(config-int)#ntp broadcast ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 22 NTP Configuration Example Source(config)#ntp Source(config)#ntp Source(config)#ntp Source(config)#ntp master 5 authentication-key 1 md5 secretsource peer 172.16.0.2 key 1 source loopback 0 Intermediate(config)#ntp authentication-key 1 md5 secretsource Intermediate(config)#ntp authentication-key 2 md5 secretclient Intermediate(config)#ntp trusted-key 1 Intermediate(config)#ntp server 172.16.0.1 Intermediate(config)#ntp source loopback 0 Intermediate(config)#interface Fastethernet0/0 Intermediate(config-int)#ntp broadcast Client(config)#ntp authentication-key 1 md5 secretclient Client(config)#ntp trusted-key 1 Client(config)#interface Fastethernet0/1 Client(config-int)#ntp broadcast client ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 23 ISCW-Mod5_L10 © 2007 Cisco Systems, Inc. All rights reserved. 24