Details

Authentication keys should be set for NTP Servers

Rationale:

Having established the need for NTP, it is essential to ensure that the devices time is not manipulated by an attacker as this could allow DoS to services relying on accurate time as well as replay attacks and other malicious activity.

NTP Version 3 introduced Authentication mechanisms for NTP messages using a Keyed Hash based Message Authentication Check (HMAC), where a hash of the message ensures both that the message is authentic and that it was not changed in transit. All JUNOS platforms support HMAC with NTP Versions 3 and 4 using MD5 and some platforms also support the more robust SHA1 and SHA2-256 algorithms.

It is strongly recommended that, as the MD5 and SHA1 algorithms are now considered deprecated, SHA2-256 based keys be used. In addition, to prevent compromise of one server leaking the keys for all NTP Servers, a different key should be used for each server. The use of SHA-256 and different keys per server are covered in separate Recommendations and not tested as part of the Audit Procedure for this Recommendation.

NOTE – Both the keys and the algorithm must match on all NTP peers being configured.

Impact:

If keys or algorithms do not match on NTP Servers and Client devices NTP will not be able to update and this could impact Logging, Authentication, Encryption/VPN or other services which rely on consistent time.

Solution

Keys are configured on a key ring and identified by an ID number. To add a key enter the following command from the [edit system ntp] hierarchy;

[edit system ntp]
[email protected]#set authentication-key type value

The is an arbitrary 32-bit non-zero integer used to identify this key locally on the device. The may be set to MD5 (the default), SHA1 or SHA2-256 (with SHA1 and SHA2 only being supported on some devices).
Next, for each server, configure the key to be used:

[edit system ntp]
[email protected]#set server key

Finally configure the key as trusted so that the router will accept NTP traffic encrypted using it. This mechanism provides an easy method to retire keys in the event of compromise. Enter following command from the [edit system ntp] hierarchy;

[edit system ntp]
[email protected]#set trusted-key

The which is trusted can be one key or several keys by enclosing the list in square brackets or repeating the command.

Default Value:

By default Juniper routers do not have NTP servers configured and use locally managed time.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3069

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability, Identification and Authentication.This control applies to the following type of system Juniper.

References

• 800-53|AU-8
• 800-53|IA-5
• 800-53|IA-5(1)
• CSCv7|6.1
• CSCv7|16.4

Source

• Tenable.com/audits