The Time Is Now The Convergence Of Networks, Time Synchronization And Information Security

The Time is Now: The Convergence of Networks, Time Synchronization and Information Security Ben Rothke, CISSP CISA | BT Professional Services | 27/10/08 | Session NET-105

About me Senior Security Consultant – BT Professional Services Certifications: CISSP, CISM, PCI QSA, SITA IT sector since 1988 / Information security since 1994 Frequent writer and speaker Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill 2006)

Agenda Session is: An overview of the need for time synchronization Why time synchronization is critical for security software and hardware to run effectively An overview of NTP Session is not: A comprehensive overview of setting up a corporate time synchronization infrastructure How to configure NTP Which time synchronization product to purchase Feel free at any point today to make a correction, share a story, make a comment, etc.

Defining Time It is difficult to provide an uncontroversial and clear definition of the nature of time or even what time is. Time can be one of the following: an instance or single occasion for some event a period considered as a resource under your control and sufficient to accomplish something In physics - time is distance divided by velocity Kant defines time as a determinate form in which alone the intuition of inner state is possible and everything which belongs to that inner state is therefore represented in relations of time and space. Song on Dark Side of the Moon - Pink Floyd

Doing things on time is universal Nearly every activity requires synchronized time to operate at peak levels: Plane departures Television Sporting events Day trading Job shifts FedEx / DHL / UPS Members of an orchestra Industrial processes Financial markets Point of sale IP telephony Arbitrage Criminal forensics Factories Cooking Medical GPS Traffic signals SWAT Teams EDI Digital forensics Cron jobs / scripts Police / Fire / Emergency Service If we didn't have time, everything would happen all at once. - Hoyt Kesterson

Real world examples - Enron Enron CFO and other members of the Enron executive team made it a habit to engage in time-based data manipulation Andrew Fastow and team alter and change financial data to suit whatever it was they wanted the investing public or government authorities to know, or not know. January 2004 - Fastow pleads guilty, sentenced to 10 years Agrees to help prosecutors build a case against former chairman Kenneth Lay and former CEO Jeffrey Skilling

More real world examples NextCard Autotote RiteAid Sirena Parmalot Adelphia In all of these cases, effective time synchronization would have provided data integrity assurance of financial reports, grant letters, loan reports, securities transactions, letters of credit and much more.

Importance of time synchronization Allows events to occur at the proper time - event synchronization Schedule a process and ensure that it starts or stops on time or runs for a specified period regardless of when it starts or stops Provides proof when events occurred or did not occur - digital forensics Ensure that cooperating processes can interoperate correctly, so that if one process hands a task off to another process, the second process will in fact be ready to accept the handoff

Costs / ROI Enterprise-level time servers cost approximately € 2,000 to € 10,000 depending on the level of accuracy required, and if redundancy is needed. Can be installed and running in a few hours Benefits include: reduced downtime prevent operational failure avoid data loss improve security mitigate legal exposure ROI Time services ROI often measured in weeks or months

Practical Example Attacker illegally infiltrates your system on Sunday July 9, 2006 between 14:42:39 and 15:21:57 Your system logs show that these events occurred starting at 19:49:12 Attacker has witnesses stating that he was watching the World Cup Final with them from 18:00 – 22:00 Prosecutor won’t take the case as the logs can’t be admitted as evidence “ A snafu such as seriously unsynchronized logs would be regarded by a defense layer as a providential gift ” Ronald Coleman, Esq.

Regulatory Time synchronization is being added to numerous regulations and industry standards: 21 CFR Part 11 PCI GLBA Sarbanes-Oxley HIPAA ETSI National Emergency Number Association Public Safety Answering Point Master Clock Standard National Fire Protection Association Standard #1221 - Installation, Maintenance and Use of Emergency Services Communication Systems

Regulatory – PCI version 1.2 October 2008 Section 10.4 - Synchronize all critical system clocks and times. 10.4 Obtain and review the process for acquiring and distributing the correct time within the organization, as well as the time-related system-parameter settings for a sample of system components. Verify the following is included in the process and implemented: 10.4.a Verify that a known, stable version of NTP or similar technology, kept current is used for time synchronization. 10.4.b Verify that internal servers are not all receiving time signals from external sources 10.4.c Verify that specific external hosts are designated from which the timeservers will accept NTP time updates (to prevent a malicious individual from changing the clock).

Wrong time adds to conspiracy theories

Quiz: What’s the shortest measurable amount of time? Attosecond, nanosecond, femtosecond, yoctosecond, ohnosecond, picosecond, exasecond, zeptosecond, millisecond, petasecond, zettasecond or yottasecond? An ohnosecond Defined as the amount of time between when you realize that you have left your keys in the car and when the door actually locks. Real answer is yoctosecond which is 10 -24 seconds It takes a quark particle a little more than a yoctosecond to circle the proton of an atomic nucleus

Absolute vs. Relative Time Since the 17 th century time has been measured astronomically The event of the sun reaching the highest point in the sky is called the transit of the sun The interval between two consecutive transits of the sun is called a solar day In the 1940s, it was established that the earth’s rotation is not constant The earth is spinning slower 300 million years ago were about 400 days per year

Absolute vs. Relative Time Relative or astronomic time is based on the earths rotation. Earth’s rotation is not absolute, leap seconds are added to keep UTC synchronized with the astronomical timescale. 1967 - 13th General Conference on Weights and Measures defined the International System unit of time, the second, in terms of atomic, rather than motion of the Earth. www.bipm.fr/en/convention/cgpm Define second as duration of 9,192,631,770 cycles of microwave light absorbed via transition of cesium-133 atoms in their ground state.

Universal Coordinated Time (UTC) UTC provides operating systems and applications with a common index to synchronize events and prove that events happened when timestamps state they did. Also known as Zulu time It is a 24-hour clock system and that any given moment, UTC is the same no matter where you are located. Suppose the UTC is now 13:00:00 I know the UTC offset for Brussels is +2 Therefore, it is 15:00:00 in Brussels Time Scales - www.ucolick.org/~sla/leapsecs/timescales.html UTC really stands for Coordinated Universal Time, but both terms are used.

Atomic Clocks Atomic clock was invented in 1948 Thousands of worldwide cesium-133 clocks Periodically they are averaged to produce international atomic time (TAI) The Bureau International de l’Heure (BIH) maintains the official clock Accurate to roughly one second every million years

UK National Physical Laboratory atomic clock Based on an ensemble of hydrogen masers and caesium atomic clocks. Contributes to international atomic time and provides reference for time and frequency dissemination and monitoring within the UK. http://www.npl.co.uk/server.php?show=nav.294 Time & Frequency User Club http://resource.npl.co.uk/docs/networks/time/reg_form.pdf

USNO Master Clock Time Service Department has an ensemble of 60 Cesium standards 14 Hydrogen masers Clocks incorporated into International Atomic Time (TAI) Over 11 billion network requests since January 1, 2001 http://tycho.usno.navy.mil/ntp.html www.usno.navy.mil

International Bureau of Weights and Measures - BIPM Creates two essential elements for time measurement - realization of the unit of time and a continuous temporal reference. Reference used is International Atomic Time (TAI), using data from some 200 atomic clocks in over fifty national laboratories. Long-term stability of TAI is assured by a judicious way of weighting the participating clocks. Scale unit of TAI is kept as close as possible to the SI second by using data from those national laboratories which maintain the best primary caesium standards.

Network Time Protocol (NTP) RFC 1305 – NTP - Version 3 www.faqs.org/rfcs/rfc1305.html UDP port 123 Accurate to within 10 - 100 milliseconds UDP is an unreliable protocol, but NTP architected to sustain levels of accuracy and robustness; even when used over numerous gateways and delays. In use over 27 years and remains the longest running, continuously operating Internet application protocol.

Network Time Protocol (NTP) NTP is only the protocol – not an application Implementing NTP requires separate client and server applications Developed at Univ. of Delaware by David Mills 1985 – version 1 – RFC 1059 1989 – version 2 – RFC 1119 1992 – version 3 – RFC 1305 1997 – version 4 - adds some secure authentication features 2008 – current production version is 4.2.4 – August 2008 Download from http://ntp.isc.org/bin/view/Main/SoftwareDownloads#Current_versions_of_NTP_Download

NTP Time Sources Dedicated NTP server with access to an external UTC time source Stratum-1 GPS-based hardware device Public server with or without direct access to UTC time Internet-based stratum 1,2 or 3 Local master clock time source on a local network Set by a local network administrator

NTP Design – Step 1 Choose your NTP time source Internal – More control, more management External – Less control, less management Time source will impact topology, configuration, and management aspect of the entire NTP infrastructure. Possible time sources include: Dedicated internal stratum-1 hardware appliance Public stratum-1 server Public stratum-2 NTP server Local master

NTP Design – Step 1 Public vs. Private time servers If your desired accuracy is in: Microseconds – Don’t rely on public time servers. Purchase a stratum-1 primary time server. Milliseconds - you can likely rely on public time servers Seconds - you can rely on public time servers. Public time servers are administered on a voluntary basis and there is no guarantee of server availability, accuracy or security. See www.pool.ntp.org

NTP Design – Step 1 NTP Time Server Feature Comparison Time Source Availability Accuracy Security Cost Dedicated Server High High High High Public server Medium Medium Low Low Local master High Low High Low

NTP Design – Step 2 NTP topology at the deployment site Determine the desired level of time accuracy Number of NTP clients Network infrastructure redundancy Network physical topology and geography How are the sites connected? Round trip delays can impact NTP and negatively affect time accuracy

NTP Design – Step 3 Determine which NTP features to use Basic Security Authentication Access control Redundancy Redundancy between peers Redundancy configuration on clients

NTP Design – Step 4 Management How much you need to manage your NTP infrastructure is dependant on how important synchronized time is to your organization SNMP Ping Vendor tools Metrics and statistics Averages Clock skew Clock drift

Time synchronization checklist Manually ensure that all firewalls, routers, critical servers, etc. have the correct time. Identify all critical network devices in your organization that require accurate time. Appoint a responsible technical staff member to be the time services liaison and to manage time services. Meet with vendors of time synchronization equipment to determine the solution that best fits your organization and specific needs. Advise management of the security risk of non-synchronized time Get management approval for the purchase of time synchronization equipment Ensure that time synchronization is an enterprise policy

Network time distribution stratum levels Stratum 0 - Reference clock source NPL, NIST, USNO, GPS Stratum 1 - Primary Time Servers Stratum 2 - Secondary Time Servers; generally application servers, NOS servers, routers Stratum 3 - Workstations, servers, Controlled Timed Device (CTD) Stratum 4- x – Deeper into other workstations, servers, and CTD

Corporate policy on time synchronization Time synchronization must be made part of the corporate IT systems and security policies Example: “ Time synchronization to an accurate time source is required on all enterprise network devices”. Without a policy, there will be no impetus for staff to achieve the goal of accurate, synchronized time.

GPS as a trusted time source GPS is unique in that it offers a direct, accurate and secure connection from UTC to inside the security of the organization’s network firewall. No WAN or router delays No need to keep NTP port 123 open on the firewall EU and ESA’s Galileo navigation satellite system will be able to provide same services as GPS when it is operational in 2013.

Customized architecture Create a clocking architecture that defines the top-level clocking source and all the components in the downstream topology Architecture must accept time and deliver it to the clients and servers within the organization. Backup time servers Support peak loads of time services requests

Audit Infrastructure must be able to prove that the time on any monitored system was correctly synchronized at a particular time and date with a specified time source. Often required by industry specific regulations Audit logs must be used within the context of digital forensics. Follow the rules of evidence

Automated Computer Time Service (ACTS) ACTS systems requires only a computer, a modem and some simple software. When a computer connects to ACTS by telephone, it receives an ASCII time code. The information in the time code is then used to set the computer's clock. http://tf.nist.gov/service/acts.htm

NIST Internet Time Service (ITS) ITS allows you to synchronize computer clocks via the Internet. http://tf.nist.gov/service/its.htm Time information provided by the service is directly traceable to UTC (NIST). Service responds to time requests from any Internet client in several formats including: DAYTIME - RFC 867 – was used by MS-DOS TIME - RFC 868 NTP protocols - RFC 1305

Spectracom Model 9283 NetClock/GPS Stratum 1 NTP/SNTP Time Server via GPS Stratum-2 via NTP servers with peering capabilities Oven-stabilized crystal oscillator (OCXO) and Rubidium oscillators maintain time standard if time reference is lost Dial-out modem provides back up to GPS or functions as the primary reference, such as for disaster recovery. www.spectracomcorp.com

Symmetricom SyncServer S250 GPS Network Time Server Stratum 1 Operation via GPS Satellites Stratum 2 Operation via NTP Servers Rubidium option Maintains extremely accurate & reliable time to 50ns Accuracy is +/- 10 microseconds with a load of 5000 packets per second www.symmetricom.com

EndRun Technologies Tempus LX GPS Network Time Server Stratum 1 NTP Time Server via GPS High NTP bandwidth capability with an accuracy of under 10 microseconds Oven-stabilized crystal oscillator (OCXO) and Rubidium oscillators maintain time standard if time reference is lost www.endruntechnologies.com

Products Chronos Technology www.chronos.co.uk Sematron www.sematron.com/enterprise_timing.html Bytefusion www.bytefusion.com/products/ntm/ntm.htm TimeCertain www.timecertain.com

RFC’s RFC 1305 – NTP - Version 3 www.faqs.org/rfcs/rfc1305.html RFC 3161 - x.509 PKI Time-Stamp Protocol www.faqs.org/rfcs/rfc3161.html RFC 3628 - Policy Requirements for Time-Stamping Authorities www.faqs.org/rfcs/rfc3628.html based on ETSI TS-102-023 version 1.1.1 Jan. 2002 PTPd (Precision Time protocol) http://ptpd.sourceforge.net

Resources Physikalisch-Technische Bundesanstalt (PTB) www.ptb.de/en/org/q/q4/q42/index.htm National Physical Laboratory NPL, UK www.npl.co.uk/server.php?show=nav.348 Royal Observatory www.nmm.ac.uk/places/royal-observatory/time-galleries Federal Office of Metrology (METAS) www.metas.ch/metasweb/Fachbereiche/Zeit_Frequenz Bureau International des Poids et Mesures http://www.bipm.org/static/gpst/

Resources NTP Home Page www.ntp.org David Mills NTP page http://www.eecis.udel.edu/~mills/ntp Computer Network Time Synchronization www.eecis.udel.edu/~mills/exec.html Digital Signatures are Not Enough Jeff Stapleton/Steve Teppler - ISSA Journal January 2006 ISC NTP Public Services Project http://ntp.isc.org

Books Expert Network Time Protocol: An Experience in Time with NTP - Peter Rybaczyk Computer Network Time Synchronization: The Network Time Protocol - David Mills NTP documentation repository http://support.ntp.org/bin/view/Main/DocumentationIndex

Mailing lists Time-nuts Discussion list on the topic of precise time and frequency measurement and related topics https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts NTP 12 mailing lists of various depth and complexity https://lists.ntp.isc.org/mailman/listinfo

Conclusions Need for synchronized time is a crucial business and technology need. Synchronized time is an integral part of an effective network and security architecture. Information security hardware and software is highly dependent on synchronized time. Ensuring accurate time is relatively inexpensive and offers a significant ROI.

Thank you for attending Any questions? comments? Please remember to fill out your comments form Ben Rothke, CISSP, QSA Senior Security Consultant BT Professional Services – http://bt.ins.com New York, NY USA [email_address]

The Time Is Now The Convergence Of Networks, Time Synchronization And Information Security

More Related Content

Viewers also liked (10)

Similar to The Time Is Now The Convergence Of Networks, Time Synchronization And Information Security (20)

More from Ben Rothke (20)

Recently uploaded (20)

The Time Is Now The Convergence Of Networks, Time Synchronization And Information Security