Everyone uses NTP, that’s for sure. But are you using it with authentication on your own stratum 1 servers? You should since this is the only way to provide security against spoofed NTP packets, refer to Why should I run own NTP Servers?. As always, Palo Alto has implemented this security feature in a really easy way, since it requires just a few clicks on the GUI. (Which again is much better than other solutions, e.g., FortiGate, which requires cumbersome CLI commands.) However, monitoring the NTP servers, whether authentication was successful or not, isn’t implemented in a good way. Here we go:
For this post I am using a PA-220 with PAN-OS 8.1.7. I am querying my Raspberry Pi w/ GPS and my Meinberg M200, both delivering NTP authentication [1, 2]. Funnily enough I can only share this single screenshot which shows everything you need to set up NTP authentication. :) It is at Device -> Setup -> Services:
Note that I am using two out of my three NTP servers, of course with different key IDs, because otherwise it wouldn’t work. (Though you actually can configure both NTP servers with the same key ID while using *different* keys, it won’t work. Hence you MUST use two different key IDs for each of them.)
However, though it was fairly easy to configure I am not completely happy about the monitoring of the NTP daemon. The system logs don’t tell that much: (Above the red line I configured my own NTP servers)
while the CLI command
show ntpat least reveals a status of “synched“, but not clearly whether the authentication took place:
weberjoh@pa> show ntp NTP state: NTP synched to ntp2.weberlab.de NTP server: ntp3.weberlab.de status: available reachable: yes authentication-type: symmetric key NTP server: ntp2.weberlab.de status: synched reachable: yes authentication-type: symmetric key
And I haven’t found any more debug logs. Hm.
Ok, so there is still some room for improvements. Likewise the number of NTP servers to configure, which should be 3 rather than 2 in order to spot a falsified timestamp delivered by one NTP server, which isn’t possible with just 2 servers at all.
Featured image “Waves” by Kacper Gunia is licensed under CC BY-NC 2.0.