Solved

hardening of NTP & DNS servers

Posted on 2014-02-22
6
1,892 Views
Last Modified: 2014-02-25
Currently we have the following in our Redhat NTP servers.  
server xx.pool.ntp.org
restrict xx.pool.ntp.org nomodify notrap nopeer noquery
server 0.yy.pool.ntp.org
restrict 0.yy.pool.ntp.org nomodify notrap nopeer noquery
server 1.yy.pool.ntp.org
restrict 1.yy.pool.ntp.org nomodify notrap nopeer noquery

Q1:
There are further hardening that could be done so wud like
to get advice here which ones in the URL below are more commonly used &
will not cause disruption:
http://www.brennan.id.au/09-Network_Time_Protocol.html

Q2:
We have Cisco routers/devices acting as NTP server, what are
the hardening commands/settings that generally people apply?

Q3:
We have Windows 2008 R2 & Redhat Linux running as DNS.
What are the hardening needed (& how to verify the hardening
has been implemented) to harden the DNS (not the OS but the
DNS function)
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 100 total points
ID: 39881308
don't allow ntp/dns requests from outside the local area network.
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 170 total points
ID: 39881396
Hardening as was pointed out by dAvid deals with services that are generally accessed from outside your network.

Your question suggests only one answer which is you need to harden the workstations as they have to be compromised through a user accessing a compromised site that in turn compromises the workstation or you have a rogue user with access on the network.

Make sure your systems/routers have the vendor released updates/security fixes.
Nanog is a good network related security publication.  Cert.org deals with system/OS notifications.

On your DNS, some use forwarders, while letting your systems go and fetch all records uses more bandwidth, it "reduces" the risk should the forwarder when one issued was poisoned with invalid/wrong records.
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 100 total points
ID: 39881451
The most effective hardening is least privilege operation..  run as a standard user and only sudo or run as administrator for tasks that require administrator priviledges .. Over 90% of the windows attacks are mitigated by running as a standard user.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 63

Accepted Solution

by:
btan earned 230 total points
ID: 39881615
For the DNS, you may want to check out slide which highlights the security considerations for the DNS and you may want to focus on the section on DNS Hardening part covering - local file system,application, managing access control

http://www.academia.edu/3065550/DNS_Security_and_Hardening_-_Linux

Also Cisco shared more information on locking down (believe you have also saw the US CERT DNS amplification advisory in your past EE posting)
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html

It also stated others (such as Team Cymru) also provides specific like a Secure BIND Template that operators can use as a guide for hardening their DNS servers. The official list of unallocated Internet addresses is maintained by Team Cymru. Additional information about filtering unused addresses is available at the Bogon Reference Page.


For NTP aspects, Cisco site shares more also which we may want focus on
- configure ACLs to restrict access to the NTP services on the providing device.  
- configure your NTP servers and clients to use authentication

http://oreilly.com/catalog/hardcisco/chapter/ch10.html

Excerpt

Make sure all routers use NTP to synchronize their time.

On larger networks requiring more accurate time, use redundant timeservers and synchronize routers to multiple servers to prevent a single point of failure.

Use the ntp master command only when external time synchronization is not possible--i.e., in networks not connected to the Internet.

Make sure all routers have ACLs preventing them from becoming public time synchronization servers. These ACLs should restrict what servers the router synchronizes to and systems the router will synchronize.

Use NTP authentication between clients, servers, and peers to ensure that time is synchronized to approved servers only.

Also for NTP consideration which is can be miss out as we tend to be too focus on hardening the configuration is the stratum connection if applicable. Normally only stratum 2 servers should connect to stratum 1 server. The loss precision by having inconsistency in connection due to abuse may indirectly leads to servers whose hosted applications that require more precision than that of a normal computer network, to miss the sync and can impact the business running. OF course, it is ideal that such applications can also consider receiving its time code via a multitude of trusted sources.
0
 

Author Comment

by:sunhux
ID: 39884514
Think I've got most of the answers, just 2 more:

Q1:
There are further hardening that could be done so wud like
to get advice here which ones in the URL below are more
commonly used & will not cause disruption:
  http://www.brennan.id.au/09-Network_Time_Protocol.html

Is there any hardening on Windows 2008 R2 that act as AD
/DNS (not Windows hardening but AD/DNS) ? Excuse me if
I did not get your point
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 170 total points
ID: 39884550
Your hardening concentration seems to be in the wrong emphasis.  I.e. In a car you are focusing on how to harden the controls on the heater/AC and radio rather than hardening the entry points.
Both antp and DNS teased on your question are internally used and do not see direct requests from unknown sources.  Maintaining them up to date will deal with DNS poisoning where acces sitea redirects the queries to fictitious sites.  Similarly with NTP configuring them to use trusted sources, or eliminating any external source, configure one or two internal systems as an ntp server to which the remaining will synchronize.

As to your latest question, pick the one you are comfortable with unless you choose an untrusted external DNS server to which your DNS will forward its requests or an an untrusted NTP reserved! you should be fine,  (the impact of an untrusted NTP deals with Time shift/drift.  Usually The local system will not allow a single large deviation I.e. A 30 minute shift might be the largest in one step.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Read about achieving the basic levels of HRIS security in the workplace.
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question