CCNA Security Exam Tutorial:

An Illustrated Look At The Network Time Protocol (NTP)

Chris Bryant, CCIE #12933

When it comes to network security, time may not be the first thing on your mind... but if your network devices don't keep the same time, some of your network defenses will be weakened or non-operational!

That's why the Network Time Protocol is so important for both your exam studies and working with real-world networks. Today, we'll take an illustrated look at the basic operation of NTP and follow that with basic and more-complex NTP configurations on live Cisco routers.

The Importance Of The Network Time Protocol (NTP)

It's vital for our routers to have a synchronized, central  time source.  Having an accurate time source for our network allows the following to work correctly:

Router syslogs will have accurate and synchronized time throughout the network, making troubleshooting much easier

Digital certificates rely on accurate and synchronized time for all involved devices

The "accounting" part of AAA relies on - you guessed it! - accurate and synchronized time throughout the network.  (Authorization and authentication can also be affected.)

NTP allows us to specify time sources for our routers.  A Cisco router can be configured to get its time from another router in the same network or an external time source.

At the very top of the NTP hierarchy, we have stratum-0 devices.   Time servers at this level are typically atomic clocks, and you cannot configure a Cisco router to get its time directly from a stratum-0 server.

Stratum-1 servers are generally referred to as time servers , and we   can configure a Cisco router to get its time from a time server. 

We'll continue this lab right after this important message!

I'm Paying It Forward Bigger Than Before.

My Famous CCNA Study Package Is Now $25.

It's strongly recommended that your network's "outside" router receive its time from a public NTP timeserver.   For the latest IP addresses of these servers, just do a quick search on the term public NTP servers.

NTP uses UDP port 123, so don't block that port with an ACL!

Cisco routers can serve as an NTP server, client, or peer.   They can also depend on NTP broadcasts for the correct time.

As you'd expect, an NTP Server gives Clients the correct time.  Client accept this time synchronization message and set their internal clock accordingly.  Clients will not send NTP time synch messages back to the Server.

We're not limited to the traditional Server/Client configuration. NTP Peers send NTP messages to each other, and either peer can send time synch messages to the other.

If we configure NTP to run in broadcast mode or multicast mode, the Server will broadcast / multicast its NTP messages to the Clients.  Keep in mind that a router will not forward broadcasts or multicasts by default, and that includes NTP messages.

NTP Vulnerabilities

Note: This is in no way a comprehensive list of every NTP vulnerability.

Digital certificates depend on a network keeping accurate and synchronized time, and it's that dependency that an attacker will attempt to exploit.  An attacker could attempt to change the time in your network - and render digital certificates invalid - by sending false time data in spoofed NTP packets . 

There are a couple of basic defenses against this possibility:

Setting The Clock And Configuring NTP

It's highly recommended that you use an NTP public timeserver as your NTP Master time source. 

If you use one of your network routers as an NTP Master, it's imperative that you use NTP authentication and/or ACLs to prevent routers outside your network from attempting to synchronize with your router.

Since this is a lab environment,  we'll configure R1 as our NTP Master.  R1 will serve as R3's NTP Server, and then we'll configure an NTP peering between R2 and R3.  The router number serves as the last octet of each IP address in this lab.

There are also over 350 Cisco CCNA and CCNP tutorials waiting for you...

... and as always, thanks for making The Bryant Advantage part of your certification studies!