Device Security – Cisco NTP

This week has seen a few vulnerabilities become very public, one that targets home routers (misfortune cookie) and another of note is for people running NTP (ntpd – http://www.eweek.com/security/four-flaws-expose-critical-network-time-keeping-servers-to-attack.html ). Between this and the hacks on sony, icloud etc. this year has served as a reminder to me that device security is something that often changes, and may be impacted by protocols, devices or other changes on your network be it home or otherwise.

A great example of this is consumer routers coming with IPv6 support. Years ago, i swapped to a new router, that came with IPv6 support. Little did i know at the time that my ISP automatically assigned clients a /56 IPv6 subnet by default. My router was then happily handing out a /64 to the lan segment meaning all my home devices automatically got a public IPv6 address. I can tell you, it was very scary the day i was able to connect from an public network to my NAS and other network devices without filtering. This security issue arose because i changed one piece of hardware without realising the full impact that change would make.

Getting to the topic, alot of people configure up their cisco routers and switches to use NTP. However i have found in the past, that in doing this, it also enables the cisco device as an NTP server. Yep, thats right, if you typed in “ntp server pool.ntp.org” into your cisco router as an example, it has not only started the client to update its own time, but it has started acting as a server too! Luckily, you are able to secure it, Here is what you need to do.

(in this example i will use 10.1.10.1 and 10.2.20.1 as the NTP servers)

First, we will need to create an ACL to allow traffic to the NTP servers that we want our device to synchronise with:

!

configure terminal

access-list 10 permit 10.1.10.1

access-list 10 permit 10.2.20.1

access-list 10 deny any

!

Here i will assume you will have already configured your servers, next step is to apply the ACL. Even though i use the command “ntp server 10.1.10.1” rather than “ntp peer 10.1.10.1” as they do different things (see here – http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html ) when you apply the ACL, you need to use the following command:

!

ntp access-group peer 10

!

Your network devices should now no longer respond to queries (except from hosts in that ACL).

Wishing everyone all the best for the holidays and 2015! Remember backup those videos and photos 🙂