It's About Time: Why Your Network Needs an NTP Server
For everything from scheduling backups to comparing security logs after a break-in, network administrators depend on the good time-keeping an NTP server can provide.
Good time keeping is not an obvious priority for network administrators, but the more you think about it the clearer it is that accurate clocks have a crucial role to play on any network. Let the clocks on your networked devices get out of sync and you could end up losing valuable corporate data.
Here are just a few things that rely on hardware clocks which are accurately set and in sync with each other:
- Scheduled data backups
- Successful backups are vital to any organization. Systems that are too far out of sync may fail to back up correctly, or even at all.
- Network accelerators
- These and other devices that use caching and wide area file systems may rely heavily on file time stamps to work out which version of a piece of data is the most current. Bad time syncing could cause these systems to work incorrectly and use the wrong versions of data.
- Network management systems
- When things go wrong, examining system logs is a key part of fault diagnosis. But if the timing in these logs is out of sync it can take much longer than necessary to figure out what went wrong and to get systems up and running again
- Intrusion analysis
- In the event of a network intrusion, working out how your network was compromised and what data was accessed may only be possible if you have accurately time-stamped router and server logs. Hackers will often delete logs if they can, but if they don't the job will be far harder, giving hackers more time to exploit your network, if the time data is inaccurate.
- Compliance regulations
- Sarbanes Oxley, HIPAA, GLBA and other regulations do or may in the future require accurate time stamping of some categories of transactions and data.
- Trading systems
- Companies in some sectors may make thousands of electronic trades per second. In this sort of environment system clocks need to be very accurate indeed.
Many companies set and synchronize their devices using Network Time Protocol (NTP), with NTP clients or daemons connecting to time servers on the network known as stratum-2 devices. To ensure these stratum-2 time servers are accurate, they are synced over the Internet through port 123 with a stratum-1 device . This public time server is connected directly (i.e. not over a network) to one or more stratum-0 devices– extremely accurate reference clocks.
Unfortunately, there are a number of potential problems with this approach. The most basic one is that the time that a stratum-2 server on a corporate network receives over the Internet from a stratum-1 server is not very precise. That's because the time data has to travel over the Internet - from the time server to the corporate time source - in an unpredictable way, and at an unpredictable speed. This means it always has a varying, and unknown, error factor. Although all the devices on a local area network that update themselves from the same corporate stratum-2 time server may be reasonably well synchronized (to within anything from 1 to about 100 milliseconds), keeping the time synchronized between stratum-2 devices on different local area networks to a reasonable degree of accuracy can be difficult.
Security Risks with NTP Servers
There are also security risks involved in using public stratum-1 NTP servers, most notably:
NTP clients and daemons are in themselves a potential security risk. Vulnerabilities in this type of software could be (and have in the past been) exploited by hackers sending appropriately crafted packets through the corporate firewall on port 123.
Organizations that use public NTP servers are susceptible to denial of service attacks by a hacker sending spoofed NTP data, making time syncing impossible during the attack. For companies involved in activities such as financial tradingwhich requires very precise timing informationthis could be very damaging.
One way to both avoid these potential security issues and to get more accurate time data is simply to run one or more stratum-1 servers inside your network, behind your corporate firewall.
Running Your Own Stratum-1 Servers
Stratum-1 time servers are available in a single 1U rack-mountable form factor that can easily be installed in your server room or data center and connected to your network, and most have a way of connecting to a stratum-0 reference clock built in. The most commonly used ways to connect to a stratum-0 device are by terrestrial radio or GPS signals.
Terrestrial radio based connections use radio signals such as WWVB out of Fort Collins, Colorado, MSF from Anthorn, UK, or DCF77 from Frankfurt, Germany. This is similar to the way consumer devices such as watches and alarm clocks update themselves with signals from reference clocks to keep accurate time.
Statum-1 time servers that sync with GPS satellite signals are more accurate, but are less convenient to install as they need to be connected to an antenna fitted in a suitable position on the roof of the building. Using time data from a number of satellites, and by calculating the distance of each satellite from the antenna, a stratum-1 time server that uses GPS reference clock signals is able to get the precise time to within 50 or so nanoseconds. More importantly, two or more of these servers at separate locations and running on separate local area networks can also remain in sync with each other to a similar degree of accuracy. Companies that supply this type of equipment include Symmetricom, Spectracom, EndRun Technologies and Time Tools.
To provide redundancy, some larger organizations install multiple GPS-based time servers at each location. An alternative is to have a radio-based time server as a back up to a GPS-based one in case the GPS server itself fails or, more likely, the GPS antenna is damaged, perhaps during bad weather. Given that most radio and GPS based time servers cost between $1,000 and $5,000, purchasing two or more time servers is not a major investment for a medium or large organization. Smaller companies, including those at isolated sites which are not connected to the Internet, can also use a low cost stratum-1 GPS PCI card (connected to an appropriate antenna) to enable a standard PC to act as a time server for the local area network, using the satellites as an external time source.
In the concluding piece in this series we'll take a look at how to implement a GPS-based time server in your data center.