Title

The Cisco ACI must use DOD-approved Network Time Protocol (NTP) sources that use authentication that is cryptographically based. (Cat II impact)

Discussion

If NTP is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to Cisco ACIs, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source. Time synchronization plays a critical role in the ACI fabric. From validating certificates, to keeping log files across devices consistent, it is strongly encouraged to sync the ACI fabric to redundant time sources. Simply creating an NTP policy does not apply it to the fabric. This policy will need to be updated to a "Pod Policy". Do not enable the NTP server option that allows the leaf switches to serve time requests to downstream endpoints. Using a Bridge Domain SVI (Subnet IP) as an NTP Source for downstream clients is not recommended. When a leaf switch is enabled as NTP server, it will respond on any interface. Issues can arise when attempting to use the SVI address of a leaf, rather than the management IP.

Check Content

Review the NTP configuration to verify it is compliant: 1. Navigate to Fabric >> Fabric Policies >> Fabric Security. 2. Expand "Policies". 3. Expand "Pod". 4. Expand "Date and Time". 5. Expand each "Date and Time Policy". 6. Verify at least two DOD-approved time sources are configured. Note: DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source. If Cisco ACI fabric does not use DOD-approved NTP sources that use authentication that is cryptographically based, this is a finding.

Fix Text

Configure NTP servers. Create an NTP policy: 1. Navigate to Fabric >> Quickstart, and then click "Create an NTP Policy Link". 2. Fill out the form. - Provide a name for the policy. - Set the State to "Enabled". 3. Click "Next" to define the NTP Sources. 4. Define at least two DOD-approved time servers. Leave all the default options and click "OK". Refer to the note below. 5. Navigate to Fabric >> Fabric Policies sub menu >> Pods >> Policy Groups folder to add the NTP Policy to the appropriate Fabric Pod Policy or group to assign to one or more Pods in the fabric. 6. Right-click on the Policy Groups folder. Select an existing Pod Policy Group or create a new group. 7. Select the policy for NTP created in the previous step. 8. Navigate to Fabric >> Fabric Policies sub menu >> Pods >> Profiles >> Pod Profile >> default. If needed, with the default Pod Selector selected in the navigation pane, change the Fabric Policy Group to the one created in the previous step. Note: DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DOD network (NIPRNet/SIPRNet); USNO time servers; and/or the GPS. The secondary time source must be located in a different geographic region than the primary time source.

Additional Identifiers

Rule ID: SV-271923r1067412_rule

Vulnerability ID: V-271923

Group Title: SRG-APP-000395-NDM-000347

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.