VMware Communities > VMTN > VMware Infrastructure™ > VI: ESX 3.5 > Discussions
Up to Discussions in VI: ESX 3.5

This Question is Possibly Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (6 pts)
9 Replies Last post: Oct 7, 2009 7:52 PM by DSeaman
Reply

Hash Algorithm to Authenticate Time Source

Jun 4, 2009 10:34 AM

Click to view twd711's profile Novice twd711 20 posts since
May 27, 2009

Hello,

I had a quick (and I am sure easy) question. I was wondering how one would go about using a hashing algorithm to authenticate a time source if you wanted to use NTP. What are the steps to set this up?

Thanks

Reply Re: Hash Algorithm to Authenticate Time Source Jun 4, 2009 2:24 PM
Click to view guyrleech's profile Virtuoso guyrleech 1,770 posts since
Mar 6, 2006
Please expand on what you are after here as I, for one, don't understand.

Guy Leech
http://communities.vmware.com/servlet/JiveServlet/download/1200101-20223/vExpert_logo_100x57.jpg

---
If you found this or any other answer useful please consider the use of the Helpful or Correct buttons to award points.

Reply Re: Hash Algorithm to Authenticate Time Source Jun 5, 2009 5:49 AM
in response to: guyrleech
Click to view twd711's profile Novice twd711 20 posts since
May 27, 2009

I have been locking down ESX servers for a client and one of the requirements is that we must configure all ESX Servers to use a hashing algorithm to authenticate the time source if we are using NTP.

The exerp is as follows:

"Since NTP is used to ensure accure log file timestamps for information, NTP could pose a security risk if a malicious user were able to falsify NTP information. Implementing authentication between NTP peers can mitigate this risk. When hashing authentication is enforced, there is a greater level of assurance that NTP updates are from a trusted source.."

This is all the information I have. Any idea what enforcing authentication with NTP actually is or how it is done? I can't find any information to support this.


Reply Re: Hash Algorithm to Authenticate Time Source Jun 5, 2009 6:34 AM
in response to: twd711
Click to view guyrleech's profile Virtuoso guyrleech 1,770 posts since
Mar 6, 2006
Ah! This is the Server 2.0 community, not ESX. You'll probably want to contact a moderator to move your post to the right forum so it gets seen by people who are more likely to know the answer. Sorry. I will have a dig around though as I also have VI infrastructure although have never done anything complex (yet) with the NTP settings.
Reply Re: Hash Algorithm to Authenticate Time Source Jun 6, 2009 12:12 PM
in response to: guyrleech
Click to view Texiwill's profile Guru Texiwill 10,056 posts since
Jan 13, 2004 Moderator
Hello,

Moved to ESX 3.5 forum.


Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast
Reply Re: Hash Algorithm to Authenticate Time Source Jun 6, 2009 1:54 PM
in response to: twd711
Click to view mcowger's profile Virtuoso mcowger 2,014 posts since
Aug 22, 2007
Implement one of the methods here:

http://support.ntp.org/bin/view/Support/ConfiguringAutokey

Though, in all honesty, if you are worried about having your internal NTP servers spoofed, you have much larger problems.






--Matt
VCP, vExpert, Unix Geek
Reply Re: Hash Algorithm to Authenticate Time Source Jun 6, 2009 3:03 PM
in response to: mcowger
Click to view depping's profile Champion depping 2,992 posts since
Jan 17, 2005 VMware Moderator
This is the first time I ever heard that someone wanted to do a hash check on his ntp source.

Duncan
VMware Communities User Moderator | VCP | VCDX

Blogging: http://www.yellow-bricks.com
Twitter: http://www.twitter.com/depping

If you find this information useful, please award points for "correct" or "helpful".
Reply Re: Hash Algorithm to Authenticate Time Source Jun 6, 2009 9:00 PM
in response to: depping
Click to view Rumple's profile Master Rumple 1,245 posts since
Jan 6, 2005

If security is that much of a concern they better be using internal atomic timekeeping devices for NTP on a secured network. If someone is able to spoof timekeeping internally, as pointed out earlier, they have MUCH bigger problems...

I've seen alot of exploits, but screwing with log times would only be a concern for someone hacking the pentagon I would expect...the general blow hacker covers their tracks by clearing the logs, not spoofing the time...

Reply Re: Hash Algorithm to Authenticate Time Source Jun 7, 2009 7:10 PM
in response to: Rumple
Click to view mcowger's profile Virtuoso mcowger 2,014 posts since
Aug 22, 2007
Indeed - this idea of running your own clock source on a safe network is probably te best choice.. GPS linked time sources are pretty cheap.






--Matt
VCP, vExpert, Unix Geek
Reply Re: Hash Algorithm to Authenticate Time Source Oct 7, 2009 7:52 PM
in response to: mcowger
Click to view DSeaman's profile Enthusiast DSeaman 126 posts since
Oct 5, 2005

In fact I support the DoD, and we use internal NTP servers based on GPS time. However, we still have a requirement to enable NTP hashing for even more security. We are using ESXi and I haven't found a method to enable NTP hashing.
Actions
Up to Discussions in VI: ESX 3.5