Title

Before establishing a connection with a Network Time Protocol (NTP) server, the Cisco ISE must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server. This is required for compliance with C2C Step 1. (Cat II impact)

Discussion

If the NTP server is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source. Currently, AES block cipher algorithm is approved for use in DoD for both applying cryptographic protection (e.g., encryption) and removing or verifying the protection that was previously applied (e.g., decryption). NTP devices use MD5 authentication keys. The MD5 algorithm is not specified in either the FIPS or NIST recommendation. However, MD5 is preferred to no authentication at all. The trusted-key statement permits authenticating NTP servers. The product must be configured to support separate keys for each NTP server. Severs should have a PKI device certificate involved for use in the device authentication process.

Check Content

If DoD is not at C2C Step 1 or higher, this is not a finding. Verify NTP setting to ensure NTP will be authenticated. From the CLI: 1. Type "show running-config | in ntp". 2. Verify that each defined NTP server has a key on the same line defining the server and make a note of the key number. 3. Verify that each NTP Key number used is created. If there is an NTP source without an NTP key defined and it is a domain controller, this is not a finding as Windows server does not support NTP keys. If there are any other NTP sources that do not use a defined key, this is a finding. Note: Each ISE node must be individually checked as NTP settings are local to each appliance. Note: There are NTP settings in the GUI; however, it is recommended to use the NTP setting solely in CLI to prevent issues.

Fix Text

Configure the NTP server to be authenticated. From the CLI: 1. Type "configure terminal". 2. Define an NTP authentication key "ntp authentication-key <KEY Number> md5 plain <NTP KEY>. 3. Define an NTP server and associate it with the configured NTP key "ntp server <IP> key <KEY Number>". 4. Type "exit" and press enter. 5. Type "write memory" and press "Enter". If a domain controller is used for NTP, then a key cannot be used as Windows servers do not support NTP keys. Note: Each ISE node must be individually checked as NTP settings are local to each appliance. Note: There are NTP settings in the GUI; however, it is recommended to use the NTP setting solely in CLI to prevent issues.

Additional Identifiers

Rule ID: SV-242603r878130_rule

Vulnerability ID: V-242603

Group Title: SRG-NET-000550-NAC-002470

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.