The Time Is Now The Convergence Of Networks, Time Synchronization And Information Security
50
The Time is Now: The Convergence of Networks, Time Synchronization and Information Security Ben Rothke, CISSP CISA | BT Professional Services | 27/10/08 | Session NET-105
-
Upload
ben-rothke -
Category
Technology
-
view
111 -
download
2
description
The Time is Now: The Convergence of Networks, Time Synchronization and Information Security. Presentation from RSA Euoper 2008
Transcript of The Time Is Now The Convergence Of Networks, Time Synchronization And Information Security
The Time is Now: The Convergence of Networks, Time Synchronization and Information SecurityBen Rothke, CISSP CISA | BT Professional Services | 27/10/08 | Session NET-105
2
About me
• Senior Security Consultant – BT Professional Services• Certifications: CISSP, CISM, PCI QSA, SITA• IT sector since 1988 / Information security since 1994• Frequent writer and speaker• Author of Computer Security: 20 Things Every
Employee Should Know (McGraw-Hill 2006)
Agenda
3
• Session is:– An overview of the need for time synchronization– Why time synchronization is critical for security software
and hardware to run effectively– An overview of NTP
• Session is not:– A comprehensive overview of setting up a corporate time
synchronization infrastructure– How to configure NTP– Which time synchronization product to purchase
• Feel free at any point today to make a correction, share a story, make a comment, etc.
Defining Time
• It is difficult to provide an uncontroversial and clear definition of the nature of time or even what time is.
• Time can be one of the following:– an instance or single occasion for some event– a period considered as a resource under your control and
sufficient to accomplish something– In physics - time is distance divided by velocity– Kant defines time as a determinate form in which alone the
intuition of inner state is possible and everything which belongs to that inner state is therefore represented in relations of time and space.
– Song on Dark Side of the Moon - Pink Floyd
4
Doing things on time is universal
Nearly every activity requires synchronized time to operate at peak levels:
– Plane departures
– Television
– Sporting events
– Day trading
– Job shifts
– FedEx / DHL / UPS
– Members of an orchestra
– Industrial processes
– Financial markets
– Point of sale
– IP telephony
– Arbitrage
5
– Criminal forensics– Factories– Cooking– Medical– GPS– Traffic signals– SWAT Teams– EDI– Digital forensics– Cron jobs / scripts– Police / Fire / Emergency Service
If we didn't have time, everything would happen all at once.
- Hoyt Kesterson
Real world examples - Enron
• Enron CFO and other members of the Enron executive team made it a habit to engage in time-based data manipulation– Andrew Fastow and team alter and change financial data
to suit whatever it was they wanted the investing public or government authorities to know, or not know.
– January 2004 - Fastow pleads guilty, sentenced to 10 years
– Agrees to help prosecutors build a case against former chairman Kenneth Lay and former CEO Jeffrey Skilling
More real world examples
• NextCard• Autotote• RiteAid• Sirena• Parmalot• Adelphia• In all of these cases, effective time synchronization
would have provided data integrity assurance of financial reports, grant letters, loan reports, securities transactions, letters of credit and much more.
Importance of time synchronization
• Allows events to occur at the proper time - event synchronization– Schedule a process and ensure that it starts or stops on
time or runs for a specified period regardless of when it starts or stops
• Provides proof when events occurred or did not occur - digital forensics– Ensure that cooperating processes can interoperate
correctly, so that if one process hands a task off to another process, the second process will in fact be ready to accept the handoff
8
Costs / ROI• Enterprise-level time servers cost approximately € 2,000
to € 10,000 depending on the level of accuracy required, and if redundancy is needed.
• Can be installed and running in a few hours • Benefits include:
– reduced downtime– prevent operational failure– avoid data loss– improve security– mitigate legal exposure
• ROI– Time services ROI often measured in weeks or months
Practical Example
• Attacker illegally infiltrates your system on Sunday July 9, 2006 between 14:42:39 and 15:21:57
• Your system logs show that these events occurred starting at 19:49:12
• Attacker has witnesses stating that he was watching the World Cup Final with them from 18:00 – 22:00
• Prosecutor won’t take the case as the logs can’t be admitted as evidence
• “A snafu such as seriously unsynchronized logs would be regarded by a defense layer as a providential gift” – Ronald Coleman, Esq.
Regulatory• Time synchronization is being added to numerous
regulations and industry standards:– 21 CFR Part 11– PCI– GLBA– Sarbanes-Oxley– HIPAA– ETSI– National Emergency Number Association– Public Safety Answering Point Master Clock Standard– National Fire Protection Association– Standard #1221 - Installation, Maintenance and Use of Emergency
Services Communication Systems
Regulatory – PCI version 1.2 October 2008
• Section 10.4 - Synchronize all critical system clocks and times.– 10.4 Obtain and review the process for acquiring and distributing the
correct time within the organization, as well as the time-related system-parameter settings for a sample of system components. Verify the following is included in the process and implemented:
– 10.4.a Verify that a known, stable version of NTP or similar technology, kept current is used for time synchronization.
– 10.4.b Verify that internal servers are not all receiving time signals from external sources
– 10.4.c Verify that specific external hosts are designated from which the timeservers will accept NTP time updates (to prevent a malicious individual from changing the clock).
12
Wrong time adds to conspiracy theories
Quiz: What’s the shortest measurable amount of time?
• Attosecond, nanosecond, femtosecond, yoctosecond, ohnosecond, picosecond, exasecond, zeptosecond, millisecond, petasecond, zettasecond or yottasecond?
• An ohnosecond• Defined as the amount of time between when you
realize that you have left your keys in the car and when the door actually locks.
• Real answer is yoctosecond which is 10-24 seconds• It takes a quark particle a little more than a yoctosecond
to circle the proton of an atomic nucleus
14
Absolute vs. Relative Time
• Since the 17th century time has been measured astronomically– The event of the sun reaching the highest point in the
sky is called the transit of the sun– The interval between two consecutive transits of the
sun is called a solar day
• In the 1940s, it was established that the earth’s rotation is not constant– The earth is spinning slower– 300 million years ago were about 400 days per year
Absolute vs. Relative Time
• Relative or astronomic time is based on the earths rotation.
• Earth’s rotation is not absolute, leap seconds are added to keep UTC synchronized with the astronomical timescale.
• 1967 - 13th General Conference on Weights and Measures defined the International System unit of time, the second, in terms of atomic, rather than motion of the Earth.
– www.bipm.fr/en/convention/cgpm
• Define second as duration of 9,192,631,770 cycles of microwave light absorbed via transition of cesium-133 atoms in their ground state.
16
Universal Coordinated Time (UTC)
• UTC provides operating systems and applications with a common index to synchronize events and prove that events happened when timestamps state they did.– Also known as Zulu time
• It is a 24-hour clock system and that any given moment, UTC is the same no matter where you are located.– Suppose the UTC is now 13:00:00– I know the UTC offset for Brussels is +2– Therefore, it is 15:00:00 in Brussels
• Time Scales - www.ucolick.org/~sla/leapsecs/timescales.html • UTC really stands for Coordinated Universal Time, but both
terms are used.
17
Atomic Clocks
• Atomic clock was invented in 1948– Thousands of worldwide cesium-133 clocks
– Periodically they are averaged to produce international atomic time (TAI)
– The Bureau International de l’Heure (BIH) maintains the official clock
– Accurate to roughly one second every million years
UK National Physical Laboratory atomic clock
• Based on an ensemble of hydrogen masers and caesium atomic clocks.
• Contributes to international atomic time and provides reference for time and frequency dissemination and monitoring within the UK. – http://www.npl.co.uk/server.php?show=nav.294
• Time & Frequency User Club– http://resource.npl.co.uk/docs/networks/time/reg_form.pdf
19
USNO Master Clock
• Time Service Department has an ensemble of– 60 Cesium standards
– 14 Hydrogen masers
• Clocks incorporated into International Atomic Time (TAI)– Over 11 billion network requests since January 1,
2001– http://tycho.usno.navy.mil/ntp.html– www.usno.navy.mil
International Bureau of Weights and Measures - BIPM• Creates two essential elements for time measurement -
realization of the unit of time and a continuous temporal reference.
• Reference used is International Atomic Time (TAI), using data from some 200 atomic clocks in over fifty national laboratories.
• Long-term stability of TAI is assured by a judicious way of weighting the participating clocks.
• Scale unit of TAI is kept as close as possible to the SI second by using data from those national laboratories which maintain the best primary caesium standards.
21
Network Time Protocol (NTP)
• RFC 1305 – NTP - Version 3– www.faqs.org/rfcs/rfc1305.html
• UDP port 123• Accurate to within 10 - 100 milliseconds• UDP is an unreliable protocol, but NTP architected to
sustain levels of accuracy and robustness; even when used over numerous gateways and delays.
• In use over 27 years and remains the longest running, continuously operating Internet application protocol.
Network Time Protocol (NTP)
• NTP is only the protocol – not an application• Implementing NTP requires separate client and
server applications• Developed at Univ. of Delaware by David Mills
– 1985 – version 1 – RFC 1059– 1989 – version 2 – RFC 1119– 1992 – version 3 – RFC 1305– 1997 – version 4 - adds some secure authentication features– 2008 – current production version is 4.2.4 – August 2008– Download from
http://ntp.isc.org/bin/view/Main/SoftwareDownloads#Current_versions_of_NTP_Download
23
NTP Time Sources
• Dedicated NTP server with access to an external UTC time source– Stratum-1 GPS-based hardware device
• Public server with or without direct access to UTC time– Internet-based stratum 1,2 or 3
• Local master clock time source on a local network– Set by a local network administrator
NTP Design – Step 1
• Choose your NTP time source– Internal – More control, more management– External – Less control, less management
• Time source will impact topology, configuration, and management aspect of the entire NTP infrastructure.
• Possible time sources include:• Dedicated internal stratum-1 hardware appliance• Public stratum-1 server• Public stratum-2 NTP server• Local master
NTP Design – Step 1• Public vs. Private time servers• If your desired accuracy is in:
– Microseconds – Don’t rely on public time servers. Purchase a stratum-1 primary time server.
– Milliseconds - you can likely rely on public time servers
– Seconds - you can rely on public time servers.
• Public time servers are administered on a voluntary basis and there is no guarantee of server availability, accuracy or security.– See www.pool.ntp.org
NTP Design – Step 1
NTP Time Server Feature Comparison
Time Source
Availability Accuracy Security Cost
Dedicated Server
High High High High
Public server
Medium Medium Low Low
Local master
High Low High Low
NTP Design – Step 2
• NTP topology at the deployment site– Determine the desired level of time accuracy
– Number of NTP clients
– Network infrastructure redundancy
– Network physical topology and geography
• How are the sites connected?
• Round trip delays can impact NTP and negatively affect time accuracy
NTP Design – Step 3
• Determine which NTP features to use– Basic
– Security
• Authentication
• Access control
– Redundancy
• Redundancy between peers
• Redundancy configuration on clients
NTP Design – Step 4• Management
• How much you need to manage your NTP infrastructure is dependant on how important synchronized time is to your organization– SNMP– Ping– Vendor tools
• Metrics and statistics– Averages– Clock skew– Clock drift
Time synchronization checklist
1. Manually ensure that all firewalls, routers, critical servers, etc. have the correct time.
2. Identify all critical network devices in your organization that require accurate time.
3. Appoint a responsible technical staff member to be the time services liaison and to manage time services.
4. Meet with vendors of time synchronization equipment to determine the solution that best fits your organization and specific needs.
5. Advise management of the security risk of non-synchronized time
6. Get management approval for the purchase of time synchronization equipment
7. Ensure that time synchronization is an enterprise policy
31
Network time distribution stratum levels
• Stratum 0 - Reference clock source– NPL, NIST, USNO, GPS
• Stratum 1 - Primary Time Servers• Stratum 2 - Secondary Time Servers; generally
application servers, NOS servers, routers• Stratum 3 - Workstations, servers, Controlled
Timed Device (CTD) • Stratum 4- x – Deeper into other workstations,
servers, and CTD
Corporate policy on time synchronization
• Time synchronization must be made part of the corporate IT systems and security policies
• Example:– “Time synchronization to an accurate time source is
required on all enterprise network devices”.
• Without a policy, there will be no impetus for staff to achieve the goal of accurate, synchronized time.
33
GPS as a trusted time source
• GPS is unique in that it offers a direct, accurate and secure connection from UTC to inside the security of the organization’s network firewall.
• No WAN or router delays• No need to keep NTP port 123 open on the
firewall• EU and ESA’s Galileo navigation satellite
system will be able to provide same services as GPS when it is operational in 2013.
Customized architecture
• Create a clocking architecture that defines the top-level clocking source and all the components in the downstream topology
• Architecture must accept time and deliver it to the clients and servers within the organization.
• Backup time servers• Support peak loads of time services requests
Audit
• Infrastructure must be able to prove that the time on any monitored system was correctly synchronized at a particular time and date with a specified time source.
• Often required by industry specific regulations• Audit logs must be used within the context of
digital forensics. – Follow the rules of evidence
Automated Computer Time Service (ACTS)
• ACTS systems requires only a computer, a modem and some simple software.
• When a computer connects to ACTS by telephone, it receives an ASCII time code.
• The information in the time code is then used to set the computer's clock.
• http://tf.nist.gov/service/acts.htm
37
NIST Internet Time Service (ITS)
• ITS allows you to synchronize computer clocks via the Internet. – http://tf.nist.gov/service/its.htm
• Time information provided by the service is directly traceable to UTC (NIST).
• Service responds to time requests from any Internet client in several formats including:– DAYTIME - RFC 867 – was used by MS-DOS– TIME - RFC 868– NTP protocols - RFC 1305
Windows Internal Clock
Spectracom
• Model 9283 NetClock/GPS– Stratum 1 NTP/SNTP Time Server via GPS – Stratum-2 via NTP servers with peering capabilities– Oven-stabilized crystal oscillator (OCXO) and Rubidium
oscillators maintain time standard if time reference is lost– Dial-out modem provides back up to GPS or functions as the
primary reference, such as for disaster recovery.– www.spectracomcorp.com
Symmetricom
• SyncServer S250 GPS Network Time Server– Stratum 1 Operation via GPS Satellites – Stratum 2 Operation via NTP Servers – Rubidium option– Maintains extremely accurate & reliable time to 50ns– Accuracy is +/- 10 microseconds with a load of 5000
packets per second– www.symmetricom.com
EndRun Technologies
• Tempus LX GPS Network Time Server• Stratum 1 NTP Time Server via GPS • High NTP bandwidth capability with an accuracy
of under 10 microseconds• Oven-stabilized crystal oscillator (OCXO) and
Rubidium oscillators maintain time standard if time reference is lost
• www.endruntechnologies.com
Products
• Chronos Technology– www.chronos.co.uk
• Sematron– www.sematron.com/enterprise_timing.html
• Bytefusion– www.bytefusion.com/products/ntm/ntm.htm
• TimeCertain– www.timecertain.com
43
RFC’s• RFC 1305 – NTP - Version 3
– www.faqs.org/rfcs/rfc1305.html
• RFC 3161 - x.509 PKI Time-Stamp Protocol – www.faqs.org/rfcs/rfc3161.html
• RFC 3628 - Policy Requirements for Time-Stamping Authorities– www.faqs.org/rfcs/rfc3628.html – based on ETSI TS-102-023 version 1.1.1 Jan. 2002
• PTPd (Precision Time protocol)– http://ptpd.sourceforge.net
Resources
• Physikalisch-Technische Bundesanstalt (PTB)
– www.ptb.de/en/org/q/q4/q42/index.htm
• National Physical Laboratory NPL, UK
– www.npl.co.uk/server.php?show=nav.348
• Royal Observatory
– www.nmm.ac.uk/places/royal-observatory/time-galleries
• Federal Office of Metrology (METAS)
– www.metas.ch/metasweb/Fachbereiche/Zeit_Frequenz
• Bureau International des Poids et Mesures
– http://www.bipm.org/static/gpst/
45
Resources
• NTP Home Page– www.ntp.org
• David Mills NTP page– http://www.eecis.udel.edu/~mills/ntp
• Computer Network Time Synchronization– www.eecis.udel.edu/~mills/exec.html
• Digital Signatures are Not Enough– Jeff Stapleton/Steve Teppler - ISSA Journal January 2006
• ISC NTP Public Services Project– http://ntp.isc.org
Books
• Expert Network Time Protocol: An Experience in Time with NTP - Peter Rybaczyk
• Computer Network Time Synchronization: The Network Time Protocol - David Mills
• NTP documentation repository– http://support.ntp.org/bin/view/Main/DocumentationIndex
Mailing lists
• Time-nuts– Discussion list on the topic of precise time and frequency
measurement and related topics
– https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
• NTP – 12 mailing lists of various depth and complexity
– https://lists.ntp.isc.org/mailman/listinfo
Conclusions
• Need for synchronized time is a crucial business and technology need.
• Synchronized time is an integral part of an effective network and security architecture.
• Information security hardware and software is highly dependent on synchronized time.
• Ensuring accurate time is relatively inexpensive and offers a significant ROI.
49
Thank you for attending
• Any questions? comments?• Please remember to fill out your comments form
Ben Rothke, CISSP, QSASenior Security ConsultantBT Professional Services – http://bt.ins.com New York, NY [email protected]
