Stratum 1 Time Server

Stratum 1 Time Server

Synchronized timing across your network – using a Trusted Time Source

Stable, reliable and accurate source of time is vital to the operation of your network. The need for synchronized time is critical for today’s network environments. Accurate time is essential to determining the order in which events occur and is a fundamental aspect of transaction integrity, logging/auditing, troubleshooting and forensics. Accurate, reliable time is necessary for business systems dealing with sensitive information where even minute variation and drift between time sources comprising the overall IT infrastructure and it is not acceptable.

Whilst Coordinated Universal Time (UTC) is freely available across the Internet it is not secure (as it is external to your firewall) and accuracy might be questionable (usually the source cannot be verified). A recent example with NTP amplification DDoS (Distributed Denial of Service) scenario made it very clear that having an UDP port open to the ingress traffic from the public network brings about multiple types of risk, including liability risk (damage caused to 3rd party done by the means of exploiting vulnerabilities present in your own assets).

Global Navigation Satellite System such as GPS bears all of the characteristics of a reliable Authoritative Time Source and its signal as it is broadcasted from space crafts in Earth’s orbit is available for anyone on the ground with the proper equipment to pick it up and use it.

High precision available 24 hours a day around the whole world is the main feature of the system which receives its information from the satellites of the American GPS (Global Positioning System).

NTP - FUNCTIONAL OVERVIEW

NTP is based on the principles of having all interconnected computers get as close as possible to the correct time – Coordinated Universal Time (UTC). A basic NTP network is composed of a time server and clients (workstations, routers, other servers, etc.). The function of a time server is to provide accurate time to the clients.

The individual clients run a small program as a background task that periodically queries the server for a precise UTC time reference. These queries are performed at designated time intervals (generally about every 15 minutes) in order to maintain the required synchronization accuracy for the network. The basic operation of the NTP is time stamping of data packets transferred between the server and the client.

The NTP protocol has a hierarchical design in order to prevent large numbers of clients from accessing the same primary time sources. This hierarchy should be adhered to, and a large number of clients should not be configured to overload a busy Stratum 1 Time Server. In addition, networks should be designed to minimize the number of servers that interact with public NTP servers (blocking port at the firewall). At the top of the hierarchy is what is accepted as the actual time - usually UTC. Each NTP Time Server is assigned a “stratum” level that corresponds with its distance from an accurate time source. Stratum 1 servers have direct access to a UTC time source (GPS). Stratum 2 servers receive their synchronization from Stratum 1 servers. Stratum 3 servers receive time from Stratum 2 servers and so on.


High Level Architecture – NTP Strata Diagram

PRODUCT

A Network Time Server is a device that uses radio frequency signals such as GPS to calculate the correct time.

NTP operates in a way that is basically different from that of most other timing protocols. NTP does not synchronize all connected clocks; instead it forms a hierarchy of timeservers and clients. Each level in this hierarchy is called a stratum, and Stratum 1 is the highest level. Timeservers at this level synchronize themselves by means of a reference time source such as a radio controlled clock, satellite receiver or modem time distribution. Stratum 1 Servers distribute their time to several clients in the network which are called Stratum 2.

Network Time Server – Key Features

  • GPS synchronized Stratum 1 high performance NTP Server, equipped with stable internal oscillator 
  • Synchronization of NTP and SNTP compatible clients
  • Supported networking protocols: IPv4, IPv6, HTTPS, HTTP, SSH, TELNET, SCP, SFTP, FTP, SYSLOG, SNMP
  • Full SNMP v1,v2,v3 support with own SNMP-daemon for status and configuration and SNMP Trap messages
  • Support for the two most popular clock synchronization network time protocols:
    • RFC 1305, 4330 & 5905 NTP, and
    • IEEE 1588  PTP – Precision Time Protocol (Optional)
    • (i.e. hardware timestamps)
  • Suitable for Unix/Linux, Mac OSX and Windows Server stand alone and Domain Controlled environments
  • Web UI: health and status/performance monitoring, maintenance
  • SD3 + C paradigm > Secure by Design, Secure by Default, Secure in Deployment, and Communications
  • NTP versions v2, v3, v4 with broadcast / multicast mode, digest authentication and auto-key, SNTP and legacy protocols
  • Front Panel LCD display for Current Time, Status and Configuration Access, web-based interface and SSH CLI
  • Full administration supported through SSH CLI, accessible over IPv4 and IPv6
  • Internal oscillator options for extended hold-over  (Premium OCXO or Rubidium)
  • Network port redundancy for High Availability
  • Health and status monitoring via SNMP v1, v2c, v3 with Enterprise MIB

SECURITY

NTP protocol as one of the most mature Internet protocols still in use has gone through a number of enhancements. Yet still, as for the network efficiency reason, it makes use of very simple connectionless datagram transport protocol UDP, whose message exchange happens over the specifically designated privileged port number 123. The idea of using privileged ports for trusted communication between networked nodes had some sense in the past but these days are long gone. Having your network open to traffic ingress on UDP/123 is a risk no organization should choose to accept, as UDP source is easily spoofable and popular NTP server addresses on the Internet are well known. With time on your servers corrupted anything becomes possible: expired/revoked digital certificates are good again, log files might be rendered unusable, accounts might be expired early, and transactional records could... Well, up to your imagination.

All communication is secured using crypto technology (SSH and SSL), and the NTP protocol implementation supports digest authentication (shared secret) and auto-key (asymmetric crypto). RECRO experts can help you with configuring and hardening the NTP appliance to comply with the standards and security policy of your organization.

TOPOLOGY AND USE

Precision and stability of NTP is such that it is suitable for even the most demanding uses, such as synchronizing an LTE base station, while retaining performance of thousands of simultaneously served clients.

We are offering our experience with designing HA (high-availability) NTP solutions that fully employ properties of NTP mechanisms to select the best available source of time at any time. Our solutions include both Authoritative Stratum 1 NTP Server implementation as well as Stratum 2 Reliable Time Distribution Networks reaching to deliver accurate time to all of your networked nodes.


Network Time Server ecosystem - topology overview

HIGH AVAILABILITY


Solution Architecture – Scalable HA NTP System

IS STANDARDS

While performing IS risk assessments in many organizations, our specialist identified Trusted Time Source despite being the cornerstone of audit trail, and having a solution that is fairly inexpensive, is frequently missing. Both ITIL v3 and ISO/IEC 27002 list a requirement for time synchronization, and identify dependency on external sources as risk which 1+1 clearly points to the need of operating your own NTP Stratum 1 Time Source. Lately times are now changing as many national information assurance standards recognize Clock Synchronization as one of the priorities.

Information Security Standards in United Arab Emirates

With our local presence in the U.A.E. we are committed to helping organizations meet regulatory requirements as directed by local and federal cybersecurity authorities, who have recognized Information Systems Clock Synchronization as one of the priorities.

Abu Dhabi Government – Abu Dhabi Systems & Information Centre (ADSIC),
ADSIC Information Security Standard (V1:2009 and V2:2013)

Within ADSIC ISS, Clock Synchronization has been assigned P1 as suggested priority, and is declared mandatory for all categories of assets in an ADSIC ISS compliant organization

V1 Control ID V2 Control ID Control Specification
CM-10.10.703 OM.20.9 The Entity should ensure that the internal clocks of information systems are synchronised with a common, independent time source to ensure that chronological information within log data can be relied upon
V1 Control ID
CM-10.10.703
V2 Control ID
OM.20.9
Control Specification
The Entity should ensure that the internal clocks of information systems are synchronized with a common, independent time source to ensure that chronological information within log data can be relied upon

United Arab Emirates, National Electronic Security Authority (NESA),
National Information Assurance Framework (NIAF) Policy (version 1.0, 2013)

NESA is actively involved in providing strategic guidance to critical U.A.E. government entities, directing cyber security efforts on national level, ensuring trusted digital environment for both UAE public and business community.

Control ID Priority Applicability
T3.6.7 P4 BASED ON RISK ASSESSMENT CONTROL - The entity shall synchronize clocks of all relevant information systems with an agreed accurate time source
Sub-Controls “The entity shall :”
  1 ) Define the date / time format and these Standards time to be used in all system
  2 ) Define the stratum level of clocks needed for each type of network element
  3 ) Regularly check that the clocks of all relevant information processing systems are synchronized
Control ID
T3.6.7
Priority
P4
Applicability
BASED ON RISK ASSESSMENT CONTROL - The entity shall synchronize clocks of all relevant information systems with an agreed accurate time source
Sub-Controls “The entity shall :”
1 ) Define the date / time format and these Standards time to be used in all system
2 ) Define the stratum level of clocks needed for each type of network element
3 ) Regularly check that the clocks of all relevant information processing systems are synchronized

NESA NIAF Policy – Implementation guidance (for information purpose only)

Where a computer or communications device has the capability to operate a real-time clock, this clock should be set to an agreed standard, e.g. Coordinated Universal Time (UTC) - or local standard time. As some clocks are known to drift with time, there should be a procedure that checks for and corrects any significant variation.

The correct interpretation of the date/time format is important to ensure that the timestamp reflects the real date/time. Local specifics (e.g. daylight savings) should be taken into account.

TIME AND PKI

When it comes to PKI, an accurate time is essential. The Issuing CA, and the computer system that uses the certificate, need to have synchronized time.  If the end user’s computer doesn’t have the same time as the Issuing CA, you could run into trouble.

Running a (CA) cluster relies on time even more.  With a two-node cluster, for example, each node needs to have the same time or data will be out of sync and possibly corrupted.

A Time Stamping Server needs to have an accurate time for legal purposes. Therefore, it is advisable to have your own, physical, Stratum 1 Authoritative Time Server, on your own network. This ensures that your time stamps are accurate and your system is the most efficient.

Microsoft has a build-in NTP client in most of their Windows Operating Systems. It is called SNTP (Simple Network Time Protocol). SNTP is not as accurate as using a NTP client, as the time difference with SNTP can be to 1 or 2 seconds. Though this is good enough for Kerberos Tickets issued by your Primary Domain Controller to work properly most of the time, we advise you to use a proper NTP client available at ntp.org. 

For further information, please contact us at sales@recro.ae or call +971 4 4347599 / +971 4 4465180.