OPS.1.2.6

OPS.1.2.6 NTP Time Synchronization

Q: OPS.1.2.6.A1 Planning of NTP Use (B)

Details zur Anforderung OPS.1.2.6.A1 Planning of NTP Use (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.2.6.A2 Secure Use of External Time Sources (B)

Details zur Anforderung OPS.1.2.6.A2 Secure Use of External Time Sources (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.2.6.A3 Secure Configuration of NTP Servers (B)

Details zur Anforderung OPS.1.2.6.A3 Secure Configuration of NTP Servers (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.2.6.A4 Disregarding Unsolicited Time Information (B)

Details zur Anforderung OPS.1.2.6.A4 Disregarding Unsolicited Time Information (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.2.6.A5 Use of Client-Server Mode for NTP (S)

Details zur Anforderung OPS.1.2.6.A5 Use of Client-Server Mode for NTP (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.2.6.A6 Monitoring of IT Systems Using NTP (S)

Details zur Anforderung OPS.1.2.6.A6 Monitoring of IT Systems Using NTP (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.2.6.A7 Secure Configuration of NTP Clients (S)

Details zur Anforderung OPS.1.2.6.A7 Secure Configuration of NTP Clients (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.2.6.A8 Use of Secure Protocols for Time Synchronization (S)

Details zur Anforderung OPS.1.2.6.A8 Use of Secure Protocols for Time Synchronization (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.2.6.A9 Availability of a Sufficient Number of Accurate Time Sources (H)

Details zur Anforderung OPS.1.2.6.A9 Availability of a Sufficient Number of Accurate Time Sources (H) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: OPS.1.2.6.A10 Exclusively Internal NTP Servers (H)

Details zur Anforderung OPS.1.2.6.A10 Exclusively Internal NTP Servers (H) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Networked IT systems often require synchronized states. The system time usually serves as a reference. However, the internal clock of IT systems can deviate from the actual time. The Network Time Protocol (NTP) is used to regularly determine a reference time from central time sources via network connections and to adjust the internal clock accordingly.

Description

Introduction

In networks, precise time synchronization makes it possible to assign uniform timestamps to information, e.g. to sort data chronologically, to reconcile data with each other, or to set time limits on access rights. Only in this way can, for example, temporal sequences from log data of different IT systems be correlated with each other. Precise time information is also of importance in the area of cryptographic protocols. Furthermore, in OT networks it is essential to synchronize all time sources precisely.

NTP clients obtain time information from NTP servers. The NTP servers can in turn obtain time information from other NTP servers as NTP clients. This creates a hierarchical time distribution (into so-called “strata”). At the top are NTP servers that obtain their time from precise sources (e.g. an atomic clock, a GPS, or a DCF77 receiver). These NTP servers are referred to as Stratum 1.

The NTP service uses procedures to determine the deviation of the system clock from external time sources even with divergent responses from different time sources. For example, it ignores time information from a time source that suddenly deviates significantly from its own system time.

Control messages allow clients to query status information or to change the behavior of the NTP server even across the network.

NTP messages are usually transmitted unsecured. However, NTP offers the possibility of protecting a message with cryptographic keys so that the message cannot be modified without authorization.

Objective

The objective of this building block is to secure NTP servers and clients so that the IT systems in the information domain can reliably determine the time and adjust their clocks.

Scope and Modeling

The building block OPS.1.2.6 NTP Time Synchronization is to be applied to every IT system in the information domain that uses NTP.

In order to create an IT-Grundschutz model for a specific information domain, the entirety of all building blocks must in principle be considered. As a rule, multiple building blocks are to be applied to the topic or target object.

This building block covers

the planning for the use of the NTP protocol,
the operation of NTP servers, and
the operation of NTP clients.

The following content is also of relevance and is addressed elsewhere:

General requirements for the operation of servers (see SYS.1.1 General Server)
General requirements for the operation of clients (see SYS.2.1 General Client)

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block OPS.1.2.6 NTP Time Synchronization.

Insufficient Planning for the Use of NTP

Insufficient planning can lead to not all IT systems receiving a sufficiently accurate system time.

If it is not properly planned how IT systems can adjust their system time, erroneous time information can arise in applications. In particular, time-critical applications can then exhibit faulty states or fail.

For example, a network can be segmented in such a way that NTP servers and clients can no longer communicate with each other. In addition, insufficient planning of time synchronization can lead, for example, to automated processes being executed at the wrong time.

No or Incorrect Time Information

NTP servers can fail or transmit incorrect time information.

If an IT system can no longer reach its NTP servers because they have failed or are unreachable, it can no longer adjust its system time. This can cause the time of the internal clock to become inaccurate.

If an NTP server transmits incorrect time information to NTP clients, they may adjust their system clock incorrectly. This can cause erroneous time information to be used in applications, for example in log data.

Incorrect time information can also cause certificate-based services or services that use one-time passwords to stop working. As a result, users may no longer be able to log on to IT systems or network services.

Contradictory Time Information

Time information from different sources can contradict each other.

If an IT system uses multiple NTP servers to adjust its system clock, the time information from the different NTP servers can differ. As soon as the time information deviates from each other to an intolerably large degree, the IT system may no longer be able to determine which of the time information is correct. This can cause the system time to be incorrectly adjusted.

Manipulation of NTP Communication

Network packets containing time information can be manipulated.

The NTP protocol is vulnerable to various attacks. In an attack, for example, the time information can be manipulated while it is being transmitted, or NTP requests can be redirected to another server. In this way, the system time of the NTP clients can be manipulated in an attack, for example to use time-limited access rights that have already expired.

Requirements

The following are the specific requirements of building block OPS.1.2.6 NTP Time Synchronization. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.

The IT-Grundschutz Compendium additionally defines further roles. They should be staffed insofar as this is reasonable and appropriate.

Responsibilities	Roles
Primarily responsible	IT Operations
Additional responsibilities	None

Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, this role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.

Basic Requirements

The following requirements MUST be fulfilled as a priority for this building block.

OPS.1.2.6.A1 Planning of NTP Use (B)

IT Operations MUST plan where and how NTP is used. This SHOULD be fully documented. In doing so, it MUST be determined which applications depend on accurate time information. The requirements of the information domain with regard to accurate time for the IT systems MUST be defined and documented.

IT Operations MUST define which NTP servers are to be used by which NTP clients.

It MUST be specified whether NTP servers operate in client-server mode or in broadcast mode.

OPS.1.2.6.A2 Secure Use of External Time Sources (B)

If time information is obtained from an NTP server outside the institution’s network, IT Operations MUST assess whether the NTP server is sufficiently reliable. IT Operations MUST ensure that only NTP servers classified as reliable are used. IT Operations MUST be aware of and observe the terms of use of the NTP server.

OPS.1.2.6.A3 Secure Configuration of NTP Servers (B)

IT Operations MUST configure the NTP server so that clients can only change the NTP server’s settings if this is explicitly intended. Furthermore, it MUST be ensured that only trusted clients can query status information.

If the internal NTP servers of the institution do not themselves use sufficiently accurate time sources, IT Operations MUST configure these NTP servers so that they regularly query accurate time information from external NTP servers.

OPS.1.2.6.A4 Disregarding Unsolicited Time Information (B)

IT Operations MUST configure all NTP clients so that they discard time information that they receive unsolicited from other IT systems.

Standard Requirements

Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.

OPS.1.2.6.A5 Use of Client-Server Mode for NTP (S)

IT Operations SHOULD configure all IT systems so that they use the NTP service in client-server mode. NTP servers SHOULD only send time information to clients when they actively request it.

OPS.1.2.6.A6 Monitoring of IT Systems Using NTP (S)

IT Operations SHOULD monitor the availability, capacity, and system time of the internal NTP servers.

IT Operations SHOULD configure IT systems that synchronize their time via NTP so that they log the following events:

unexpected restarts of the IT system,
unexpected restarts of the NTP service,
errors in connection with the NTP service, and
unusual time information.

If the NTP server regularly sends time information on its own initiative (broadcast mode), IT Operations SHOULD monitor the NTP clients to check whether they receive unusual time information.

OPS.1.2.6.A7 Secure Configuration of NTP Clients (S)

IT Operations SHOULD specify which time information an IT system should use when it has been restarted. IT Operations SHOULD specify which time information an IT system should use when its NTP service has been restarted.

IT Operations SHOULD specify how NTP clients should react to strongly divergent time information. In particular, it SHOULD be decided whether strongly divergent time information from NTP servers is accepted after a system restart. IT Operations SHOULD define threshold values for strongly divergent time information.

IT Operations SHOULD ensure that NTP clients still receive sufficient time information even when they are requested by an NTP server to send fewer or no requests.

OPS.1.2.6.A8 Use of Secure Protocols for Time Synchronization (S)

IT Operations SHOULD check whether secure protocols for time synchronization can be used (e.g. Network Time Security (NTS)). If this is possible, secure protocols SHOULD be used.

Requirements for High Protection Needs

The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered for high protection needs. The specific determination is made within the framework of an individual risk analysis.

OPS.1.2.6.A9 Availability of a Sufficient Number of Accurate Time Sources (H)

If correct system times are of considerable importance, an institution SHOULD have multiple Stratum 1 NTP servers in its network. The IT systems of the information domain with NTP service SHOULD use the Stratum 1 NTP servers directly or indirectly as a time reference. The Stratum 1 servers SHOULD each have different time sources.

OPS.1.2.6.A10 Exclusively Internal NTP Servers (H)

Every IT system in the information domain with NTP service SHOULD obtain time information exclusively from NTP servers within the institution’s network.

OPS.1.2.6.A11 Redundant NTP Servers (H)

IT systems for which the accuracy of the system time is of considerable importance SHOULD obtain time information from at least four independent NTP servers.

OPS.1.2.6.A12 NTP Servers with Authenticated Responses (H)

NTP servers SHOULD authenticate themselves to clients during communication. This SHOULD also apply to the servers from which the NTP server itself obtains time information. The NTP clients SHOULD only accept authenticated NTP data.

Additional Information

Good to Know

No additional information is available for building block OPS.1.2.6 NTP Time Synchronization.