Title

The Cisco ACI must be configured to synchronize system clocks within and between systems or system components. (Cat II impact)

Discussion

Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities such as access control and identification and authentication depending on the nature of the mechanisms used to support the capabilities.

Check Content

1. Navigate to Fabric >> Fabric Policies >> Fabric Security. 2. Expand "Policies". 3. Expand "Pod". 4. Expand "Date and Time". 5. Expand each "Date and Time Policy". 6. Verify at least two DOD-approved time sources are configured. Note: DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source. If Cisco ACI fabric does not use DOD-approved redundant NTP sources that use authentication that is cryptographically based, this is a finding.

Fix Text

Create an NTP policy: 1. Navigate to Fabric >> Quickstart and click "Create an NTP Policy Link". 2. Fill out the form. - Provide a name for the policy. - Set the State to "Enabled". 3. Click "Next" to define the NTP Sources. 4. Define at least two DOD-approved time servers. Leave all the default options and click "OK". Refer to note below. 5. Navigate to Fabric >> Fabric Policies submenu >> Pods >> Policy Groups folder to add the NTP Policy to the appropriate Fabric Pod Policy or group to assign to one or more Pods in the fabric. 6. Right-click on the Policy Groups folder. Select an existing Pod Policy Group or create a new group. 7. Select the policy for NTP created in the previous step. 8. Navigate to Fabric >> Fabric Policies submenu >> Pods >> Profiles >> Pod Profile >> default. If needed, with the default Pod Selector selected in the navigation pane, change the Fabric Policy Group to the one created in the previous step. Note: DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), USNO time servers, and/or GPS. The secondary time source must be located in a different geographic region than the primary time source.

Additional Identifiers

Rule ID: SV-271971r1067377_rule

Vulnerability ID: V-271971

Group Title: SRG-APP-000920-NDM-000320

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.