5.1 The Network Time Protocol

One often-overlooked service on a network is the Network Time Protocol (NTP). NTP is a protocol that allows networked devices to synchronize their internal clocks and is amazingly accurate in its operation. NTP clients receiving clocking information from a central server will automatically attempt to compensate for the estimated delay of the informational packets as they travel over the network. This intelligence results in devices over a large geographic area synchronized to within a few microseconds of each other. For the normal operation of a computer network, this is normally not a critical function. Most computers contain their own chronometer that sets the time quite well. When considering the security of your network, however, NTP should be considered an essential protocol to include as part of the implementation of an information security policy.

NTP clocking should not be confused with the term "clocking," which is commonly used to represent the speed of a computer. The CPU chip, most likely Intel or AMD, which sits in your desktop computer, was most likely marketed to you by using the Hz speed of the processor. We have been trained to understand that a 2.2-GHz CPU is faster and better than a 2.0-GHz CPU. A small quartz crystal vibrates at a certain speed and determines the CPU speed along with other components of your average computer system. NTP has nothing to do with how fast your computer operates. NTP is a way of setting the clock on you computer in the same way you would set your wristwatch or kitchen wall clock. The benefit of NTP is that it is like setting your clocks all at once for daylight savings and at the same time making sure that your kitchen clock is not five minutes faster than your VCR clock.

NTP, like most TCP/IP protocols, is client/server in nature. This implies that there is a central server that keeps the master clock information. Other devices around the network, acting as clients, periodically check with the NTP server to ensure that their clocks are current and synchronized. An NTP server itself can be configured to query another server at a different location and synchronize to the remote server. This allows a hierarchy of NTP servers, providing accurate timing information on a global basis.

Those really interested in time know that not all clocks are created equal. Some are more accurate than others. Currently, the best clocks we know of are the so-called "atomic clocks" that measure their ticks according to the vibrations of certain atoms. These top-tier, highly accurate clocks are known as stratum one clocks. Because not everyone can afford their own atomic clock, but can afford a "pretty darn good" clock, there are also a number of stratum two clocks that synchronize themselves to the stratum one clocks on a regular basis. Below stratum two clocks are stratum three, stratum four, etc., all the way down to stratum sixteen clocks. In theory, each clock higher on the stratum hierarchy is more accurate and reliable than the one below it. When considering NTP, we do not need to worry about what stratum our desktop computers and servers are; we only need to know that NTP servers follow this stratum hierarchy. A stratum three clock always trusts the time of a stratum two clock but not a stratum four clock.

A typical network using NTP will have one or two clocks that act as time servers for the rest of the network. If two NTP servers are configured, they will synchronize with each and normally synchronize with a public stratum two NTP server. Lists of public NTP servers are readily available on the Internet. Internal to the network, everything else will act as a client and synchronize their clocks to the same as the local NTP servers. This is particularly relevant from the perspective of network security. Many networks will have more than one source of logging information; each one of these log sources will mark their logs with the local time configured on the server. When these logs are collected and examined, unless the timestamps on the logs are precisely synchronized, determining the order of events — a critical element of forensic analysis and auditing — will be next to impossible. It is for this reason, the facilitation of network logging information for event auditing, that NTP is critical.

Some time has been spent discussing NTP and if you were not familiar with the protocol you may think that this is another expensive server or, worse yet, two expensive servers that you need to install and maintain along with purchasing the NTP server software itself. Not so. NTP is a small, efficient protocol and server application that is readily available for free or as part of a bundled OS. The application can easily run in conjunction with any other applications as part of a single server or on separate low-end computers. The power of the host computer is not an issue for the NTP application. All the needed information is obtained from a much more expensive and accurate computer out on the Internet.

Even synchronizing with stratum two clocks on the Internet is optional. What is more important is that your network is synchronized to itself. In most cases, it does not matter that your network NTP differs from the "actual" time by two seconds. What matters is that every device that your NTP server provides time for, agrees on the time down to the millisecond. Internal consistency for your logging information is the goal — not external synchronization with the rest of the world. That said, it is so easy to connect to public stratum two servers that most NTP implementations go through the minor effort to ensure their time is globally accurate as well. Stratum one clocks are available, but public access to their highly accurate timing is not normally allowed. This is not a flaw; stratum two clocks are more than accurate for all but the most demanding of timing applications, such as satellite navigation or signaling for public telephone network circuits.