VMware

This Question is Possibly Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (6 pts)
9 Replies Last post: Oct 7, 2009 7:52 PM by DSeaman  

Hash Algorithm to Authenticate Time Source posted: Jun 4, 2009 10:34 AM

Click to view twd711's profile Enthusiast
twd711
24 posts since
May 27, 2009

Hello,

I had a quick (and I am sure easy) question. I was wondering how one would go about using a hashing algorithm to authenticate a time source if you wanted to use NTP. What are the steps to set this up?

Thanks

Re: Hash Algorithm to Authenticate Time Source

1. Jun 4, 2009 2:24 PM in response to: twd711
Click to view guyrleech's profile Virtuoso
guyrleech
1,804 posts since
Mar 6, 2006
Please expand on what you are after here as I, for one, don't understand.

Guy Leech
http://communities.vmware.com/servlet/JiveServlet/download/1200101-20223/vExpert_logo_100x57.jpg

---
If you found this or any other answer useful please consider the use of the Helpful or Correct buttons to award points.

Re: Hash Algorithm to Authenticate Time Source

2. Jun 5, 2009 5:49 AM in response to: guyrleech
Click to view twd711's profile Enthusiast
twd711
24 posts since
May 27, 2009

I have been locking down ESX servers for a client and one of the requirements is that we must configure all ESX Servers to use a hashing algorithm to authenticate the time source if we are using NTP.

The exerp is as follows:

"Since NTP is used to ensure accure log file timestamps for information, NTP could pose a security risk if a malicious user were able to falsify NTP information. Implementing authentication between NTP peers can mitigate this risk. When hashing authentication is enforced, there is a greater level of assurance that NTP updates are from a trusted source.."

This is all the information I have. Any idea what enforcing authentication with NTP actually is or how it is done? I can't find any information to support this.


Re: Hash Algorithm to Authenticate Time Source

3. Jun 5, 2009 6:34 AM in response to: twd711
Click to view guyrleech's profile Virtuoso
guyrleech
1,804 posts since
Mar 6, 2006
Ah! This is the Server 2.0 community, not ESX. You'll probably want to contact a moderator to move your post to the right forum so it gets seen by people who are more likely to know the answer. Sorry. I will have a dig around though as I also have VI infrastructure although have never done anything complex (yet) with the NTP settings.

Re: Hash Algorithm to Authenticate Time Source

4. Jun 6, 2009 12:12 PM in response to: guyrleech
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

Moved to ESX 3.5 forum.


Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Re: Hash Algorithm to Authenticate Time Source

5. Jun 6, 2009 1:54 PM in response to: twd711
Click to view mcowger's profile Virtuoso
mcowger
2,058 posts since
Aug 22, 2007
Implement one of the methods here:

http://support.ntp.org/bin/view/Support/ConfiguringAutokey

Though, in all honesty, if you are worried about having your internal NTP servers spoofed, you have much larger problems.






--Matt
VCP, vExpert, Unix Geek

Re: Hash Algorithm to Authenticate Time Source

6. Jun 6, 2009 3:03 PM in response to: mcowger
Click to view depping's profile Champion
depping
2,997 posts since
Jan 17, 2005
This is the first time I ever heard that someone wanted to do a hash check on his ntp source.

Duncan
VMware Communities User Moderator | VCP | VCDX

Blogging: http://www.yellow-bricks.com
Twitter: http://www.twitter.com/depping

If you find this information useful, please award points for "correct" or "helpful".

Re: Hash Algorithm to Authenticate Time Source

7. Jun 6, 2009 9:00 PM in response to: depping
Click to view Rumple's profile Master
Rumple
1,264 posts since
Jan 6, 2005

If security is that much of a concern they better be using internal atomic timekeeping devices for NTP on a secured network. If someone is able to spoof timekeeping internally, as pointed out earlier, they have MUCH bigger problems...

I've seen alot of exploits, but screwing with log times would only be a concern for someone hacking the pentagon I would expect...the general blow hacker covers their tracks by clearing the logs, not spoofing the time...

Re: Hash Algorithm to Authenticate Time Source

8. Jun 7, 2009 7:10 PM in response to: Rumple
Click to view mcowger's profile Virtuoso
mcowger
2,058 posts since
Aug 22, 2007
Indeed - this idea of running your own clock source on a safe network is probably te best choice.. GPS linked time sources are pretty cheap.






--Matt
VCP, vExpert, Unix Geek

Re: Hash Algorithm to Authenticate Time Source

9. Oct 7, 2009 7:52 PM in response to: mcowger
Click to view DSeaman's profile Enthusiast
DSeaman
134 posts since
Oct 5, 2005

In fact I support the DoD, and we use internal NTP servers based on GPS time. However, we still have a requirement to enable NTP hashing for even more security. We are using ESXi and I haven't found a method to enable NTP hashing.

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities