?
Solved

hardening of NTP & DNS servers

Posted on 2014-02-22
6
Medium Priority
?
2,063 Views
Last Modified: 2014-02-25
Currently we have the following in our Redhat NTP servers.  
server xx.pool.ntp.org
restrict xx.pool.ntp.org nomodify notrap nopeer noquery
server 0.yy.pool.ntp.org
restrict 0.yy.pool.ntp.org nomodify notrap nopeer noquery
server 1.yy.pool.ntp.org
restrict 1.yy.pool.ntp.org nomodify notrap nopeer noquery

Q1:
There are further hardening that could be done so wud like
to get advice here which ones in the URL below are more commonly used &
will not cause disruption:
http://www.brennan.id.au/09-Network_Time_Protocol.html

Q2:
We have Cisco routers/devices acting as NTP server, what are
the hardening commands/settings that generally people apply?

Q3:
We have Windows 2008 R2 & Redhat Linux running as DNS.
What are the hardening needed (& how to verify the hardening
has been implemented) to harden the DNS (not the OS but the
DNS function)
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 400 total points
ID: 39881308
don't allow ntp/dns requests from outside the local area network.
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 680 total points
ID: 39881396
Hardening as was pointed out by dAvid deals with services that are generally accessed from outside your network.

Your question suggests only one answer which is you need to harden the workstations as they have to be compromised through a user accessing a compromised site that in turn compromises the workstation or you have a rogue user with access on the network.

Make sure your systems/routers have the vendor released updates/security fixes.
Nanog is a good network related security publication.  Cert.org deals with system/OS notifications.

On your DNS, some use forwarders, while letting your systems go and fetch all records uses more bandwidth, it "reduces" the risk should the forwarder when one issued was poisoned with invalid/wrong records.
0
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 400 total points
ID: 39881451
The most effective hardening is least privilege operation..  run as a standard user and only sudo or run as administrator for tasks that require administrator priviledges .. Over 90% of the windows attacks are mitigated by running as a standard user.
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 64

Accepted Solution

by:
btan earned 920 total points
ID: 39881615
For the DNS, you may want to check out slide which highlights the security considerations for the DNS and you may want to focus on the section on DNS Hardening part covering - local file system,application, managing access control

http://www.academia.edu/3065550/DNS_Security_and_Hardening_-_Linux

Also Cisco shared more information on locking down (believe you have also saw the US CERT DNS amplification advisory in your past EE posting)
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html

It also stated others (such as Team Cymru) also provides specific like a Secure BIND Template that operators can use as a guide for hardening their DNS servers. The official list of unallocated Internet addresses is maintained by Team Cymru. Additional information about filtering unused addresses is available at the Bogon Reference Page.


For NTP aspects, Cisco site shares more also which we may want focus on
- configure ACLs to restrict access to the NTP services on the providing device.  
- configure your NTP servers and clients to use authentication

http://oreilly.com/catalog/hardcisco/chapter/ch10.html

Excerpt

Make sure all routers use NTP to synchronize their time.

On larger networks requiring more accurate time, use redundant timeservers and synchronize routers to multiple servers to prevent a single point of failure.

Use the ntp master command only when external time synchronization is not possible--i.e., in networks not connected to the Internet.

Make sure all routers have ACLs preventing them from becoming public time synchronization servers. These ACLs should restrict what servers the router synchronizes to and systems the router will synchronize.

Use NTP authentication between clients, servers, and peers to ensure that time is synchronized to approved servers only.

Also for NTP consideration which is can be miss out as we tend to be too focus on hardening the configuration is the stratum connection if applicable. Normally only stratum 2 servers should connect to stratum 1 server. The loss precision by having inconsistency in connection due to abuse may indirectly leads to servers whose hosted applications that require more precision than that of a normal computer network, to miss the sync and can impact the business running. OF course, it is ideal that such applications can also consider receiving its time code via a multitude of trusted sources.
0
 

Author Comment

by:sunhux
ID: 39884514
Think I've got most of the answers, just 2 more:

Q1:
There are further hardening that could be done so wud like
to get advice here which ones in the URL below are more
commonly used & will not cause disruption:
  http://www.brennan.id.au/09-Network_Time_Protocol.html

Is there any hardening on Windows 2008 R2 that act as AD
/DNS (not Windows hardening but AD/DNS) ? Excuse me if
I did not get your point
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 680 total points
ID: 39884550
Your hardening concentration seems to be in the wrong emphasis.  I.e. In a car you are focusing on how to harden the controls on the heater/AC and radio rather than hardening the entry points.
Both antp and DNS teased on your question are internally used and do not see direct requests from unknown sources.  Maintaining them up to date will deal with DNS poisoning where acces sitea redirects the queries to fictitious sites.  Similarly with NTP configuring them to use trusted sources, or eliminating any external source, configure one or two internal systems as an ntp server to which the remaining will synchronize.

As to your latest question, pick the one you are comfortable with unless you choose an untrusted external DNS server to which your DNS will forward its requests or an an untrusted NTP reserved! you should be fine,  (the impact of an untrusted NTP deals with Time shift/drift.  Usually The local system will not allow a single large deviation I.e. A 30 minute shift might be the largest in one step.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question