Network Time Protocol (NTP) servers enable computers and devices such as the PIX firewall to synchronize their internal clocks with a centralized timing server. NTP works off a hierarchy in which one master clock server dictates the time settings and sends them down to several NTP servers, which synchronize with the master server. These lower NTP servers help to balance the load for hundreds or thousands of possible NTP clients looking to synchronize their clocks. The PIX firewall can become an NTP client, allowing NTP to set the clock instead of manually configuring it with the clock command. Figure 7.1 displays a simple NTP hierarchy.
Figure 7.1. An NTP hierarchy.
Configuring NTP Clients on the PIX
To configure the PIX firewall as an NTP client, the use of several commands might be necessary. The basic NTP command set designates the NTP server itself. If security is needed, a second set of commands is required to configure authentication keys.
The ntp server Command
The ntp server command enables you to designate the NTP server; its syntax is as follows :
pixfirewall(config)# [no] ntp server <ip_address> [key <number>] source <if_name> [prefer]
Table 7.4. ntp server Command Options
Listing 7.2 configures the PIX to use three possible time servers and to give preference to the last time server for synchronizing time.
Listing 7.2 NTP Server Configuration Example
pixfirewall(config)# ntp server 192.168.1.100 source inside pixfirewall(config)# ntp server 192.168.1.101 source inside pixfirewall(config)# ntp server 192.168.1.102 source inside prefer pixfirewall(config)# pixfirewall(config)# show ntp ntp server 192.168.1.100 source inside ntp server 192.168.1.101 source inside ntp server 192.168.1.102 source inside prefer pixfirewall(config)# pixfirewall(config)# show clock detail 14:17:31.014 UTC Sun Aug 31 2003 Time source is NTP pixfirewall(config)#
In Listing 7.2, the show ntp command displays the configured NTP servers and the show clock detail displays the time source as being NTP rather than user configured.
NTP Authentication Commands
In secure environments, the NTP data can be sent using authentication between the NTP server and the PIX, allowing an MD5 hash against the time information passed. To do so, the following commands are required:
The ntp authenticate Command
The ntp authenticate command enables authentication for NTP communications. When this command is used, the PIX and the NTP server must authenticate to allow the PIX firewall to accept the NTP information.
The ntp trusted-key Command
The ntp trusted-key command sets a number that must match in the ntp server command's key option. This same value must be sent by the NTP server in every packet for the PIX to accept the NTP information.
The ntp authentication-key Command
The ntp authentication-key command enables you to match an MD5 string with an NTP server. This match is made with the number option that corresponds to an ntp trusted-key command with the name number . In Listing 7.3, the NTP server is using 123 as its key and timebandits as the MD5 algorithm string. Listing 7.3 displays the commands used to create a secure connection.
Listing 7.3 Example of Configuring Secure NTP
pixfirewall(config)# ntp server 192.168.1.100 key 123 source inside pixfirewall(config)# ntp authenticate pixfirewall(config)# ntp trusted-key 123 pixfirewall(config)# ntp authentication-key 123 md5 timebandits pixfirewall(config)#
MD5 is used to hash the NTP information and allow secure NTP traffic to be passed between the PIX and the NTP server.
Displaying NTP Information
Now that the PIX firewall is configured for NTP, the following three commands will enable you to verify its operational status:
The show ntp Command
The show ntp command displays the current NTP configurations. The following example displays the NTP configuration created in Listing 7.3:
pixfirewall(config)# show ntp ntp authentication-key 123 md5 ******** ntp authenticate ntp trusted-key 123 ntp server 192.168.1.100 key 123 source inside pixfirewall(config)#
The show ntp status Command
The show ntp status command displays the current clock status, like so:
pixfirewall(config)# show ntp status Clock is synchronized, stratum 5, reference is 192.168.1.100 nominal freq is 99.9967 Hz, actual freq is 99.9967 Hz, precision is 2**6 reference time is a13124b9.46c2936b (06:28:16.000 UTC Thu Feb 7 2036) clock offset is 0.3213 msec, root delay is 52.32 msec root dispersion is 32.1 msec, peer dispersion is 4.4 msec pixfirewall(config)#
The previous status shows the IP address of the NTP server as 192.168.1.100 .
The show ntp associations Command
The show ntp associations command displays information about the servers you have configured. Here is an example of the command:
pixfirewall(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.1.100 0.0.0.0 5 30 64 377 5.0 -3.00 4.2. * master (synced), # master (unsynced), + selected, - candidate, ~ configured
Notice the ledger that is displayed with the command. The asterisk symbol ( * ) designates that the master has synced.