This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
BrandonSteams
Contributor
Contributor
‎2016-10-19 11:29 AM

Does RSA Authentication Manager 8.1 SP1 or 8.2 authenticate NTP messages from NTP servers?

Jump to solution

NIST control V0014671 states:

Network devices must authenticate all NTP messages received from NTP servers and peers.

 

Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP infrastructure, a hacker could inject time that would be accepted by NTP clients by spoofing the IP address of a valid NTP server. To mitigate this risk, the time messages must be authenticated by the client before accepting them as a time source.

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
‎2016-10-19 12:34 PM

Jump to solution

No. Technically it can be done but it is not part of the default config

and we do not support making the changes needed.

 

If you require NTP authentication...

Have some other server you own authenticate NTP to it's upstream peer if you need to,

and then have RSA server peer NTP from it.

View solution in original post

0 Likes
Reply
3 Replies
EdwardDavis
Employee
Employee
‎2016-10-19 12:34 PM

Jump to solution

No. Technically it can be done but it is not part of the default config

and we do not support making the changes needed.

 

If you require NTP authentication...

Have some other server you own authenticate NTP to it's upstream peer if you need to,

and then have RSA server peer NTP from it.

0 Likes
Reply
BrandonSteams
Contributor
Contributor
In response to EdwardDavis
‎2020-01-30 04:59 PM

Jump to solution

Has there been any change to this stance by RSA?  Support for NTP authentication messages or addition to the roadmap?

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to BrandonSteams
‎2020-02-04 01:41 PM

Jump to solution

I checked the RFE's for NTP authentication...and no official procedures yet at this time.

 

It remains possible to do by configuring NTP on the Suse 12.3 OS, however, engineering has not written that procedure up. The safe bet today is: Know what you are doing, and configure NTP on the Suse 12.3 command line, and have a backout plan if NTP doesn't operate correctly (undo changes) or, configure your own 'safe' NTP sources and have RSA AM get updates from them. 

 

The existing RFE for this is

AM-33266 RFE: 8.x, 8.4, Provide the ability to use Authenticated NTP in configuration

 

You can open a support case and ask that your information and needs gets added to this RFE AM-33266.

 

This way, Product Management sees the added pressure to resolve this internally in the AM code and not have to do it in an unsupported fashion, or set up your own secure NTP environment that AM can sync NTP with.

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.