Ensuring system clocks are secure
Rule Title: RiOS must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
STIG ID: RICX-DM-000082
Rule ID: SV-77427r1_rule Severity: CAT II
Vuln ID: V-62937 Class: Unclass
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions.
Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.
DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Verifying system clocks are secure
Verify that RiOS is configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions.
1. Connect to the Management Console.
2. Choose Administration > System Settings: Date and Time to display the Date and Time page.
3. Under Requested NTP Servers, verify that at least two servers are configured. If no NTP servers are visible, this is a security vulnerability finding.
Configuring system clocks for security
Configure RiOS to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions.
1. Connect to the Management Console.
2. Choose Administration > System Settings: Date/Time to display the Date and Time page.
3. Click Add a New NTP Server to expand the page.
4. Select Use NTP Time Synchronization and click Apply.
5. Configure two NTP serves.
To remove an NTP server, select the check box next to the name and click Remove Selected.
NTP settings
Hostname or IP Address specifies the hostname or IP address for the NTP server. You can connect to an NTP public server pool. For example, 0.riverbed.pool.ntp.org. When you add an NTP server pool, the server is selected from a pool of time servers.
Version selects the NTP server version from the drop-down list: 3 or 4.
Enabled/Disabled selects Enabled from the drop-down list to connect to the NTP server.
Key ID specifies the MD5 or SH1 key identifier to use to authenticate the NTP server. The valid range is from 1 to 65534. The key ID must appear on the trusted keys list.