VMware Communities: Message List - Hash Algorithm to Authenticate Time Source

Re: Hash Algorithm to Authenticate Time Source

DSeaman — Thu, 08 Oct 2009 02:52:05 GMT

In fact I support the DoD, and we use internal NTP servers based on GPS time. However, we still have a requirement to enable NTP hashing for even more security. We are using ESXi and I haven't found a method to enable NTP hashing.

Re: Hash Algorithm to Authenticate Time Source

mcowger — Mon, 08 Jun 2009 02:10:15 GMT

Indeed - this idea of running your own clock source on a safe network is probably te best choice.. GPS linked time sources are pretty cheap.

--Matt
VCP, vExpert, Unix Geek

Re: Hash Algorithm to Authenticate Time Source

Rumple — Sun, 07 Jun 2009 04:00:53 GMT

If security is that much of a concern they better be using internal atomic timekeeping devices for NTP on a secured network. If someone is able to spoof timekeeping internally, as pointed out earlier, they have MUCH bigger problems...

I've seen alot of exploits, but screwing with log times would only be a concern for someone hacking the pentagon I would expect...the general blow hacker covers their tracks by clearing the logs, not spoofing the time...

Re: Hash Algorithm to Authenticate Time Source

depping — Sat, 06 Jun 2009 22:03:03 GMT

This is the first time I ever heard that someone wanted to do a hash check on his ntp source.

Duncan
VMware Communities User Moderator | VCP | VCDX

Blogging: http://www.yellow-bricks.com
Twitter: http://www.twitter.com/depping

If you find this information useful, please award points for "correct" or "helpful".

Re: Hash Algorithm to Authenticate Time Source

mcowger — Sat, 06 Jun 2009 20:54:29 GMT

Implement one of the methods here:

http://support.ntp.org/bin/view/Support/ConfiguringAutokey

Though, in all honesty, if you are worried about having your internal NTP servers spoofed, you have much larger problems.

--Matt
VCP, vExpert, Unix Geek

Re: Hash Algorithm to Authenticate Time Source

Texiwill — Sat, 06 Jun 2009 19:12:56 GMT

Hello,

Moved to ESX 3.5 forum.

Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Re: Hash Algorithm to Authenticate Time Source

guyrleech — Fri, 05 Jun 2009 13:34:45 GMT

Ah! This is the Server 2.0 community, not ESX. You'll probably want to contact a moderator to move your post to the right forum so it gets seen by people who are more likely to know the answer. Sorry. I will have a dig around though as I also have VI infrastructure although have never done anything complex (yet) with the NTP settings.

Re: Hash Algorithm to Authenticate Time Source

twd711 — Fri, 05 Jun 2009 12:49:42 GMT

I have been locking down ESX servers for a client and one of the requirements is that we must configure all ESX Servers to use a hashing algorithm to authenticate the time source if we are using NTP.

The exerp is as follows:

"Since NTP is used to ensure accure log file timestamps for information, NTP could pose a security risk if a malicious user were able to falsify NTP information. Implementing authentication between NTP peers can mitigate this risk. When hashing authentication is enforced, there is a greater level of assurance that NTP updates are from a trusted source.."

This is all the information I have. Any idea what enforcing authentication with NTP actually is or how it is done? I can't find any information to support this.

Re: Hash Algorithm to Authenticate Time Source

guyrleech — Thu, 04 Jun 2009 21:24:43 GMT

Please expand on what you are after here as I, for one, don't understand.

Guy Leech

---
If you found this or any other answer useful please consider the use of the Helpful or Correct buttons to award points.

Hash Algorithm to Authenticate Time Source

twd711 — Thu, 04 Jun 2009 17:34:03 GMT

Hello,

I had a quick (and I am sure easy) question. I was wondering how one would go about using a hashing algorithm to authenticate a time source if you wanted to use NTP. What are the steps to set this up?

Thanks