You Best Hide Your NTP Servers!

[deanwebb]

https://threatpost.com/novel-ntp-attacks-roll-back-time/115138/

Summary: NTP attack can invalidate an entire enterprise's crypto. All of it.

[NetworkGroover]

https://threatpost.com/novel-ntp-attacks-roll-back-time/115138/

Summary: NTP attack can invalidate an entire enterprise's crypto. All of it.

Haha... that's like... "Yeah...  f#@k your crypto...  how you like them apples?"

[Nerm]

Wow!

[wintermute000]

the hilarious thing is that when you think about it, the 'flaw' was there all along in the design i.e. reliance on time for PKI and a whole bunch of other security related protocols. Its just that nobody made a big deal about this until now. I read somewhere that exploiting NTP has been going on for quite some time.

[deanwebb]

Thing is, most NTP is handled as an afterthought on a server or router. If it's a dedicated device, it's not a hardened one.

[mmcgurty]

We rolled (4) Microsemi (formerly Symmetricom) S300 SyncServers this year internally with GPS.  I was very surprised to see they support TACACS/RADIUS, NTP MD5 Auth, SSL, and ACL rules to the admin interface.  We are in the process of converting everything in the company over to these from AIX virtual servers that use various Internet NTP servers.  NTP was always an afterthought here until we starting rolling Oracle RAC with multiple systems replicating and the clock drift was causing database entry problems.  Now we are just using LANCOPE StealthWatch to catch the ones with hardcoded NTP servers in their configurations.

[deanwebb]

Cool application of the Netflow monitor. I like that angle.

[SimonV]

We rolled (4) Microsemi (formerly Symmetricom) S300 SyncServers this year internally with GPS.  I was very surprised to see they support TACACS/RADIUS, NTP MD5 Auth, SSL, and ACL rules to the admin interface.  We are in the process of converting everything in the company over to these from AIX virtual servers that use various Internet NTP servers.  NTP was always an afterthought here until we starting rolling Oracle RAC with multiple systems replicating and the clock drift was causing database entry problems.  Now we are just using LANCOPE StealthWatch to catch the ones with hardcoded NTP servers in their configurations.

Sounds pretty cool, how much do those go for?

[mmcgurty]

We rolled (4) Microsemi (formerly Symmetricom) S300 SyncServers this year internally with GPS.  I was very surprised to see they support TACACS/RADIUS, NTP MD5 Auth, SSL, and ACL rules to the admin interface.  We are in the process of converting everything in the company over to these from AIX virtual servers that use various Internet NTP servers.  NTP was always an afterthought here until we starting rolling Oracle RAC with multiple systems replicating and the clock drift was causing database entry problems.  Now we are just using LANCOPE StealthWatch to catch the ones with hardcoded NTP servers in their configurations.

Sounds pretty cool, how much do those go for?

$5500/ea not including the GPS amplifiers, lightning arrestors, and 3yr maintenance.

[Reggle]

$5500/ea not including the GPS amplifiers, lightning arrestors, and 3yr maintenance.

My response: http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html

[mmcgurty]

$5500/ea not including the GPS amplifiers, lightning arrestors, and 3yr maintenance.

My response: http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html

I like the solution but it is not an enterprise solution with a maintenance contract to back it and tech support to contact when it doesn't work.

[Reggle]

True that of course :-)

[mmcgurty]

$5500/ea not including the GPS amplifiers, lightning arrestors, and 3yr maintenance.

My response: http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html

Thanks for the post, I think I am going to get one of these for my house just to play with.