Ensuring the system authenticates NTP servers
Rule Title: RiOS must authenticate NTP servers before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
STIG ID: RICX-DM-000111
Rule ID: SV-77449r1_rule Severity: CAT II
Vuln ID: V-62959 Class: Unclass
Without authenticating devices, unidentified or unknown devices might be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.
A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (for example, local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (for example, the Internet).
Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability. For network device management, this has been determined to be network management device addresses, SNMP authentication, and NTP authentication.
Verifying the system authenticates NTP servers
Verify that RiOS is configured to authenticate NTP servers before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based (NTP portion of the requirement).
1. Connect to the Management Console.
2. Choose Administration > System Settings: Date and Time to display the Date and Time page.
3. Under Requested NTP Servers, verify that at least two servers are configured. If no NTP servers are visible, this is a security vulnerability finding.
Configuring the system to authenticate NTP servers
Configure RiOS to authenticate NTP servers before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based (NTP portion of the requirement).
1. Connect to the Management Console.
2. Choose Administration > System Settings: Date/Time to display the Date and Time page.
3. Select the Use NTP Time Synchronization check box.
4. Configure two NTP.
5. Add a new NTP authentication key and configure it.
NTP server and key settings
Hostname or IP Address specifies the hostname or IP address for the NTP server. You can connect to an NTP public server pool. For example, 0.riverbed.pool.ntp.org. When you add an NTP server pool, the server is selected from a pool of time servers.
Version specifies the NTP server version from the drop-down list: 3 or 4.
Enabled/Disabled specifies Enabled from the drop-down list to connect to the NTP server.
Key ID specifies the MD5 or SH1 key identifier to use to authenticate the NTP server. The valid range is from 1 to 65534. The key ID must appear on the trusted keys list.
Add adds your servers.
Key ID specifies the key ID. The valid range is from 1 to 65534.
Key Type specifies the authentication key type: MD5 or SHA1.
Secret specifies the shared secret. You must configure the same shared secret for both the NTP server and the NTP client. The MD5 shared secret:
• is limited to 16 alphanumeric characters or less, or exactly 40 characters hexadecimal.
• cannot include spaces or pound signs (#).
• cannot be empty.
• is case sensitive.
The SHA1 shared secret:
• is limited to exactly 40 characters hexadecimal.
• cannot include spaces or pound signs (#).
• cannot be empty.
• is case sensitive.
The secret appears in the key list as its MD5 or SHA1 hash value.