AnsweredAssumed Answered

Does RSA Authentication Manager 8.1 SP1 or 8.2 authenticate NTP messages from NTP servers?

Question asked by Brandon Steams on Oct 19, 2016
Latest reply on Feb 4, 2020 by Edward Davis

Like • Show 0 Likes0
Comment • 3

NIST control V0014671 states:

Network devices must authenticate all NTP messages received from NTP servers and peers.

Since NTP is used to ensure accurate log file timestamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP infrastructure, a hacker could inject time that would be accepted by NTP clients by spoofing the IP address of a valid NTP server. To mitigate this risk, the time messages must be authenticated by the client before accepting them as a time source.

Edward Davis

Oct 19, 2016 12:34 PM

Correct Answer

No. Technically it can be done but it is not part of the default config

and we do not support making the changes needed.

If you require NTP authentication...

Have some other server you own authenticate NTP to it's upstream peer if you need to,

and then have RSA server peer NTP from it.

See the reply in context

No one else had this question

Outcomes

Edward Davis

Oct 19, 2016 12:34 PM

No. Technically it can be done but it is not part of the default config

and we do not support making the changes needed.

If you require NTP authentication...

Have some other server you own authenticate NTP to it's upstream peer if you need to,

and then have RSA server peer NTP from it.

Actions

Brandon Steams @ Edward Davis on Jan 30, 2020 4:59 PM

Has there been any change to this stance by RSA? Support for NTP authentication messages or addition to the roadmap?

Actions

Edward Davis

@ Brandon Steams on Feb 4, 2020 2:15 PM

I checked the RFE's for NTP authentication...and no official procedures yet at this time.

It remains possible to do by configuring NTP on the Suse 12.3 OS, however, engineering has not written that procedure up. The safe bet today is: Know what you are doing, and configure NTP on the Suse 12.3 command line, and have a backout plan if NTP doesn't operate correctly (undo changes) or, configure your own 'safe' NTP sources and have RSA AM get updates from them.

The existing RFE for this is

AM-33266 RFE: 8.x, 8.4, Provide the ability to use Authenticated NTP in configuration

You can open a support case and ask that your information and needs gets added to this RFE AM-33266.

This way, Product Management sees the added pressure to resolve this internally in the AM code and not have to do it in an unsupported fashion, or set up your own secure NTP environment that AM can sync NTP with.

1 person found this helpful

Actions

3 Replies

Edward Davis Oct 19, 2016 12:34 PM
Unmark Correct
Correct Answer
No. Technically it can be done but it is not part of the default config
and we do not support making the changes needed.

If you require NTP authentication...
Have some other server you own authenticate NTP to it's upstream peer if you need to,
and then have RSA server peer NTP from it.
Like • Show 0 Likes0
Actions
- Brandon Steams @ Edward Davis on Jan 30, 2020 4:59 PM
  Mark Correct
  Correct Answer
  Has there been any change to this stance by RSA? Support for NTP authentication messages or addition to the roadmap?
  Like • Show 0 Likes0
  Actions
  - Edward Davis @ Brandon Steams on Feb 4, 2020 2:15 PM
    Mark Correct
    Correct Answer
    I checked the RFE's for NTP authentication...and no official procedures yet at this time.
    
    It remains possible to do by configuring NTP on the Suse 12.3 OS, however, engineering has not written that procedure up. The safe bet today is: Know what you are doing, and configure NTP on the Suse 12.3 command line, and have a backout plan if NTP doesn't operate correctly (undo changes) or, configure your own 'safe' NTP sources and have RSA AM get updates from them.
    
    The existing RFE for this is
    AM-33266 RFE: 8.x, 8.4, Provide the ability to use Authenticated NTP in configuration
    
    You can open a support case and ask that your information and needs gets added to this RFE AM-33266.
    
    This way, Product Management sees the added pressure to resolve this internally in the AM code and not have to do it in an unsupported fashion, or set up your own secure NTP environment that AM can sync NTP with.
    1 person found this helpful
    Like • Show 3 Likes3
    Actions

Does RSA Authentication Manager 8.1 SP1 or 8.2 authenticate NTP messages from NTP servers?

Outcomes

Related Content

Recommended Content