Network Time Protocol | CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)

Network Time Protocol (NTP) servers enable computers and devices such as the PIX firewall to synchronize their internal clocks with a centralized timing server. NTP works off a hierarchy in which one master clock server dictates the time settings and sends them down to several NTP servers, which synchronize with the master server. These lower NTP servers help to balance the load for hundreds or thousands of possible NTP clients looking to synchronize their clocks. The PIX firewall can become an NTP client, allowing NTP to set the clock instead of manually configuring it with the clock command. Figure 7.1 displays a simple NTP hierarchy.

Figure 7.1. An NTP hierarchy.

graphics/07fig01.gif

Configuring NTP Clients on the PIX

To configure the PIX firewall as an NTP client, the use of several commands might be necessary. The basic NTP command set designates the NTP server itself. If security is needed, a second set of commands is required to configure authentication keys.

The ntp server Command

The ntp server command enables you to designate the NTP server; its syntax is as follows :

 pixfirewall(config)# [no] ntp server <ip_address> [key <number>]                source <if_name> [prefer]

Table 7.4. ntp server Command Options

Option	Function
ip_address	The IP address of the NTP server
key number	A number, between 1 and 4,294,967,295, used to authenticate with the NTP server
if_name	The name of the interface on which the NTP server resides
prefer	Allows you to define a preference for a specific time server

Listing 7.2 configures the PIX to use three possible time servers and to give preference to the last time server for synchronizing time.

Listing 7.2 NTP Server Configuration Example

 pixfirewall(config)# ntp server 192.168.1.100 source inside pixfirewall(config)# ntp server 192.168.1.101 source inside pixfirewall(config)# ntp server 192.168.1.102 source inside prefer pixfirewall(config)# pixfirewall(config)# show ntp ntp server 192.168.1.100 source inside ntp server 192.168.1.101 source inside ntp server 192.168.1.102 source inside prefer pixfirewall(config)# pixfirewall(config)# show clock detail 14:17:31.014 UTC Sun Aug 31 2003 Time source is NTP pixfirewall(config)#

In Listing 7.2, the show ntp command displays the configured NTP servers and the show clock detail displays the time source as being NTP rather than user configured.

NTP Authentication Commands

In secure environments, the NTP data can be sent using authentication between the NTP server and the PIX, allowing an MD5 hash against the time information passed. To do so, the following commands are required:

ntp authenticate
ntp trusted-key <number>
ntp authentication-key <number> md5 <value>

The ntp authenticate Command

The ntp authenticate command enables authentication for NTP communications. When this command is used, the PIX and the NTP server must authenticate to allow the PIX firewall to accept the NTP information.

The ntp trusted-key Command

The ntp trusted-key command sets a number that must match in the ntp server command's key option. This same value must be sent by the NTP server in every packet for the PIX to accept the NTP information.

The ntp authentication-key Command

The ntp authentication-key command enables you to match an MD5 string with an NTP server. This match is made with the number option that corresponds to an ntp trusted-key command with the name number . In Listing 7.3, the NTP server is using 123 as its key and timebandits as the MD5 algorithm string. Listing 7.3 displays the commands used to create a secure connection.

Listing 7.3 Example of Configuring Secure NTP

 pixfirewall(config)# ntp server 192.168.1.100 key 123 source inside pixfirewall(config)# ntp authenticate pixfirewall(config)# ntp trusted-key 123 pixfirewall(config)# ntp authentication-key 123 md5 timebandits pixfirewall(config)#

MD5 is used to hash the NTP information and allow secure NTP traffic to be passed between the PIX and the NTP server.

Displaying NTP Information

Now that the PIX firewall is configured for NTP, the following three commands will enable you to verify its operational status:

show ntp
show ntp status
show ntp associations [detail]

The show ntp Command

The show ntp command displays the current NTP configurations. The following example displays the NTP configuration created in Listing 7.3:

 pixfirewall(config)# show ntp ntp authentication-key 123 md5 ******** ntp authenticate ntp trusted-key 123 ntp server 192.168.1.100 key 123 source inside pixfirewall(config)#

The show ntp status Command

The show ntp status command displays the current clock status, like so:

 pixfirewall(config)# show ntp status Clock is synchronized, stratum 5, reference is 192.168.1.100 nominal freq is 99.9967 Hz, actual freq is 99.9967 Hz, precision is 2**6 reference time is a13124b9.46c2936b (06:28:16.000 UTC Thu Feb 7 2036) clock offset is 0.3213 msec, root delay is 52.32 msec root dispersion is 32.1 msec, peer dispersion is 4.4 msec pixfirewall(config)#

The previous status shows the IP address of the NTP server as 192.168.1.100 .

The show ntp associations Command

The show ntp associations command displays information about the servers you have configured. Here is an example of the command:

 pixfirewall(config)# show ntp associations address         ref clock     st  when  poll reach  delay  offset    disp *~192.168.1.100 0.0.0.0       5   30    64   377    5.0    -3.00     4.2. * master (synced), # master (unsynced), + selected, - candidate, ~ configured

Notice the ledger that is displayed with the command. The asterisk symbol ( * ) designates that the master has synced.