You Best Hide Your NTP Servers!

Started by deanwebb, October 22, 2015, 01:34:47 PM

Previous topic - Next topic

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

NetworkGroover

Quote from: deanwebb on October 22, 2015, 01:34:47 PM
https://threatpost.com/novel-ntp-attacks-roll-back-time/115138/

Summary: NTP attack can invalidate an entire enterprise's crypto. All of it.

Haha... that's like... "Yeah...  f#@k your crypto...  how you like them apples?"
Engineer by day, DJ by night, family first always

Nerm


wintermute000

the hilarious thing is that when you think about it, the 'flaw' was there all along in the design i.e. reliance on time for PKI and a whole bunch of other security related protocols. Its just that nobody made a big deal about this until now. I read somewhere that exploiting NTP has been going on for quite some time.

deanwebb

Thing is, most NTP is handled as an afterthought on a server or router. If it's a dedicated device, it's not a hardened one.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

mmcgurty

We rolled (4) Microsemi (formerly Symmetricom) S300 SyncServers this year internally with GPS.  I was very surprised to see they support TACACS/RADIUS, NTP MD5 Auth, SSL, and ACL rules to the admin interface.  We are in the process of converting everything in the company over to these from AIX virtual servers that use various Internet NTP servers.  NTP was always an afterthought here until we starting rolling Oracle RAC with multiple systems replicating and the clock drift was causing database entry problems.  Now we are just using LANCOPE StealthWatch to catch the ones with hardcoded NTP servers in their configurations.

deanwebb

Cool application of the Netflow monitor. I like that angle.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

Quote from: mmcgurty on October 26, 2015, 08:21:53 AM
We rolled (4) Microsemi (formerly Symmetricom) S300 SyncServers this year internally with GPS.  I was very surprised to see they support TACACS/RADIUS, NTP MD5 Auth, SSL, and ACL rules to the admin interface.  We are in the process of converting everything in the company over to these from AIX virtual servers that use various Internet NTP servers.  NTP was always an afterthought here until we starting rolling Oracle RAC with multiple systems replicating and the clock drift was causing database entry problems.  Now we are just using LANCOPE StealthWatch to catch the ones with hardcoded NTP servers in their configurations.

Sounds pretty cool, how much do those go for?

mmcgurty

Quote from: SimonV on October 26, 2015, 01:59:12 PM
Quote from: mmcgurty on October 26, 2015, 08:21:53 AM
We rolled (4) Microsemi (formerly Symmetricom) S300 SyncServers this year internally with GPS.  I was very surprised to see they support TACACS/RADIUS, NTP MD5 Auth, SSL, and ACL rules to the admin interface.  We are in the process of converting everything in the company over to these from AIX virtual servers that use various Internet NTP servers.  NTP was always an afterthought here until we starting rolling Oracle RAC with multiple systems replicating and the clock drift was causing database entry problems.  Now we are just using LANCOPE StealthWatch to catch the ones with hardcoded NTP servers in their configurations.

Sounds pretty cool, how much do those go for?

$5500/ea not including the GPS amplifiers, lightning arrestors, and 3yr maintenance.

Reggle


mmcgurty

Quote from: Reggle on October 28, 2015, 05:06:58 PM
Quote from: mmcgurty on October 27, 2015, 07:24:12 AM$5500/ea not including the GPS amplifiers, lightning arrestors, and 3yr maintenance.
My response: http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html

I like the solution but it is not an enterprise solution with a maintenance contract to back it and tech support to contact when it doesn't work.

Reggle


mmcgurty

Quote from: Reggle on October 28, 2015, 05:06:58 PM
Quote from: mmcgurty on October 27, 2015, 07:24:12 AM$5500/ea not including the GPS amplifiers, lightning arrestors, and 3yr maintenance.
My response: http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html

Thanks for the post, I think I am going to get one of these for my house just to play with.