Solved

hardening of NTP & DNS servers

Posted on 2014-02-22
6
1,764 Views
Last Modified: 2014-02-25
Currently we have the following in our Redhat NTP servers.  
server xx.pool.ntp.org
restrict xx.pool.ntp.org nomodify notrap nopeer noquery
server 0.yy.pool.ntp.org
restrict 0.yy.pool.ntp.org nomodify notrap nopeer noquery
server 1.yy.pool.ntp.org
restrict 1.yy.pool.ntp.org nomodify notrap nopeer noquery

Q1:
There are further hardening that could be done so wud like
to get advice here which ones in the URL below are more commonly used &
will not cause disruption:
http://www.brennan.id.au/09-Network_Time_Protocol.html

Q2:
We have Cisco routers/devices acting as NTP server, what are
the hardening commands/settings that generally people apply?

Q3:
We have Windows 2008 R2 & Redhat Linux running as DNS.
What are the hardening needed (& how to verify the hardening
has been implemented) to harden the DNS (not the OS but the
DNS function)
0
Comment
Question by:sunhux
6 Comments
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 100 total points
ID: 39881308
don't allow ntp/dns requests from outside the local area network.
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 170 total points
ID: 39881396
Hardening as was pointed out by dAvid deals with services that are generally accessed from outside your network.

Your question suggests only one answer which is you need to harden the workstations as they have to be compromised through a user accessing a compromised site that in turn compromises the workstation or you have a rogue user with access on the network.

Make sure your systems/routers have the vendor released updates/security fixes.
Nanog is a good network related security publication.  Cert.org deals with system/OS notifications.

On your DNS, some use forwarders, while letting your systems go and fetch all records uses more bandwidth, it "reduces" the risk should the forwarder when one issued was poisoned with invalid/wrong records.
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 100 total points
ID: 39881451
The most effective hardening is least privilege operation..  run as a standard user and only sudo or run as administrator for tasks that require administrator priviledges .. Over 90% of the windows attacks are mitigated by running as a standard user.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 62

Accepted Solution

by:
btan earned 230 total points
ID: 39881615
For the DNS, you may want to check out slide which highlights the security considerations for the DNS and you may want to focus on the section on DNS Hardening part covering - local file system,application, managing access control

http://www.academia.edu/3065550/DNS_Security_and_Hardening_-_Linux

Also Cisco shared more information on locking down (believe you have also saw the US CERT DNS amplification advisory in your past EE posting)
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html

It also stated others (such as Team Cymru) also provides specific like a Secure BIND Template that operators can use as a guide for hardening their DNS servers. The official list of unallocated Internet addresses is maintained by Team Cymru. Additional information about filtering unused addresses is available at the Bogon Reference Page.


For NTP aspects, Cisco site shares more also which we may want focus on
- configure ACLs to restrict access to the NTP services on the providing device.  
- configure your NTP servers and clients to use authentication

http://oreilly.com/catalog/hardcisco/chapter/ch10.html

Excerpt

Make sure all routers use NTP to synchronize their time.

On larger networks requiring more accurate time, use redundant timeservers and synchronize routers to multiple servers to prevent a single point of failure.

Use the ntp master command only when external time synchronization is not possible--i.e., in networks not connected to the Internet.

Make sure all routers have ACLs preventing them from becoming public time synchronization servers. These ACLs should restrict what servers the router synchronizes to and systems the router will synchronize.

Use NTP authentication between clients, servers, and peers to ensure that time is synchronized to approved servers only.

Also for NTP consideration which is can be miss out as we tend to be too focus on hardening the configuration is the stratum connection if applicable. Normally only stratum 2 servers should connect to stratum 1 server. The loss precision by having inconsistency in connection due to abuse may indirectly leads to servers whose hosted applications that require more precision than that of a normal computer network, to miss the sync and can impact the business running. OF course, it is ideal that such applications can also consider receiving its time code via a multitude of trusted sources.
0
 

Author Comment

by:sunhux
ID: 39884514
Think I've got most of the answers, just 2 more:

Q1:
There are further hardening that could be done so wud like
to get advice here which ones in the URL below are more
commonly used & will not cause disruption:
  http://www.brennan.id.au/09-Network_Time_Protocol.html

Is there any hardening on Windows 2008 R2 that act as AD
/DNS (not Windows hardening but AD/DNS) ? Excuse me if
I did not get your point
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 170 total points
ID: 39884550
Your hardening concentration seems to be in the wrong emphasis.  I.e. In a car you are focusing on how to harden the controls on the heater/AC and radio rather than hardening the entry points.
Both antp and DNS teased on your question are internally used and do not see direct requests from unknown sources.  Maintaining them up to date will deal with DNS poisoning where acces sitea redirects the queries to fictitious sites.  Similarly with NTP configuring them to use trusted sources, or eliminating any external source, configure one or two internal systems as an ntp server to which the remaining will synchronize.

As to your latest question, pick the one you are comfortable with unless you choose an untrusted external DNS server to which your DNS will forward its requests or an an untrusted NTP reserved! you should be fine,  (the impact of an untrusted NTP deals with Time shift/drift.  Usually The local system will not allow a single large deviation I.e. A 30 minute shift might be the largest in one step.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now