By Andreja Jarc.
Synchronized timing is vitally important when many systems work together in a network. Services such as Logfiles, Correlation of Events, User Authentication Mechanisms, Job Scheduling e.g. for backups or Active Directories running on distributed platforms use accurate timestamps to record events in chronological order and to avoid conflicts with data replication. Without accurate time synchronization these services cannot operate.
As is true for other network services, time synchronization is exposed to numerous cyber vulnerabilities such as hacker attempts and security hazards. Spoofing or falsifying of time information may severely influence the operation of time-critical applications and degrade stability of networks.
Meinberg therefore dedicates special care and attention to safety and security procedures which are implemented and regularly upgraded on LANTIME NTP servers to protect the time service from undesired attacks and keep synchronization operating properly.
In this post I will introduce you to some efficient safeguards available in LANTIME Generation 6 Servers which can protect against the vulnerability threats and reduce risks to an acceptable level.
- 1 Access Control and User Management
- 2 Password Options
- 3 Activation / Deactivation of unsecured network services
- 4 External authentication via TACACS+ and RADIUS
- 5 Client / Server Authentication via Autokeys and Symmetric Keys
- 6 Hardware Protection enabled by Redundant Configuration Setups
Access Control and User Management
It is possible to create multiple user accounts on a LANTIME system; each account can be assigned to one of three user privilege levels:
• Super-User full read / write control over Web GUI and Command Line functions
• Admin-User restricted read / write control over Web GUI and CLI functions
• Info-User read permission only
Figure 1: A list of multiple users on a LANTIME with different privileges.
All users can be password protected. One can activate special options to enhance security features of the user passwords as follows:
• Minimum password length
• Allowance of secure password only
• List of valid special characters
• User must change the password periodically in provided intervals
Figure 2: Security levels for password generation.
Activation / Deactivation of unsecured network services
All available Network Services can be activated /deactivated separately for every interface. Therefore any unsecured network protocols such as FTP, HTTP or Telnet can be deactivated respectively. See the following example:
Figure 3: Activation / deactivation of network services for each interface separately.
External authentication via TACACS+ and RADIUS
There are several user account authentication methods available on LANTIME systems. One option is an external authentication with TACACS+ or Radius. TACACS+ by contrast to Radius refers to a family of protocols for remote authentication and network access control where entire packets are encrypted.
TACACS+: Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks.
RADIUS: Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication for MEINBERG Time Servers to connect and use the network services. RADIUS is a client/server protocol that runs in the application layer, using UDP as transport.
Figure 4: Activation of Remote Authentication in the User Administration dialog.
Client / Server Authentication via Autokeys and Symmetric Keys
NTP Version 4 supports symmetric keys and additionally provides also the Autokey feature. Both supported by Meinberg LANTIME systems.
The authenticity of received time at NTP clients is ensured by the symmetric key technique. By this method every packet is equipped with a 32 bit key ID and a cryptographic 64/128 bit checksum of the packet. This checksum is built with MD5 or DES, both algorithms offer a sufficient protection against data manipulation.
Figure 5: Web GUI dialog for NTP MD5 Keys generation.
Hardware Protection enabled by Redundant Configuration Setups
There are a number of methods to assure highly available and reliable operation of Meinberg LANTIME systems. Different redundant configuration setups enable a time server to operate seamlessly if some of its components experience operational difficulties.
Meinberg LANTIME and IMS (Intelligent Modular Synchronization) systems allow redundant configuration to protect from the following potential failures:
1. Power supply failure
2. Reference clock failure (signal loss or malicious disturbing)
3. Network unavailability
4. Inadequate server performance
5. Physical damage.
More about various redundant configuration setups using LANTIME systems refer to one of the older posts:
If you wish to learn more on NTP safety and protection measures of the network timing, visit a NTP Complete Training at Meinberg Sync Academy.
More information about NTP Time servers for networks of different sizes and industries you can find at Meinberg website: www.meinbergglobal.com.
Enjoy Your Summer and Stay In Sync with Us!
- meinberg activate access restriction
- NTP security configuration
- tacacs config MeinbergM300