Time synchronization plays an important role in network security management. Network Time Protocol (NTP) is an internet protocol used to establish coordination between computer clock times across a network. It is important for systems across a network to have a network-wide accurate and common time. For instance, updates to a filesystem by multiple systems in the same location or different locations also require time coordination.

Using Coordinated Universal Time (UTC), NTP synchronizes computer clock time not only to minutes or seconds but to millisecond and even fractions of a millisecond. NTP acts as both protocol and server/client programs. A user can compile programs as NTP client, NTP server, or both.

In NTP, the devices are arranged in a hierarchical order, where the primary server is at the apex and the other follows it. The distance between the primary and secondary devices is defined by stratum levels.

Stratum-0 is the primary device with most accurate time settings, for example, atomic clocks.

Stratum-1 is the master servers, which are connected to the primary (Stratum-0) devices and take Stratum-0 as a time source and Stratum-2 as the secondary servers. In an NTP hierarchical system, devices on Stratum-1 obtain their time from devices on Stratum-0; devices on Stratum-2 receive their time information from servers on Stratum-1, and so on up to a maximum of 15 stratum levels:

NTP supports up to stratum-15, that is, 16 devices in a hierarchical order. Stratum-16 is the device, for which the time is not synchronized.

There are four possible modes of NTP:

• NTP client mode: A network device in the client mode will let its clock synchronize from the other NTP server. These devices will not allow the other network devices to synchronize with their clocks.
• NTP server mode: This is a network device running NTP as a service, which allows the other device to synchronize only the time information. The NTP servers do not synchronize their time with other devices.
• NTP peer mode: In this mode, the device offers only the time to synchronize with the other peer devices.
• Broadcast/multicast mode: In this mode, the NTP servers send broadcast messages or multicast messages in order to synchronize the time information with the NTP clients in the network.

The process of setting up of the clock involves the following steps:

1. The NTP client contacts the time server and initiates a time request exchange.
2. This message exchange enables the client to calculate the link delay, and adjust its clock to match the clock of the server computer.
3. The initial setting of the clock requires a minimum of 6 message exchanges between the client and the server over a period of 5 to 10 minutes.
4. Once the clock is synchronized, the client keeps updating the clock every 10 minutes, requiring at least one message exchange.

A simpler and less secure version of NTP is Simple Network Time Protocol (SNTP). A user can implement NTP on a network by using their own master clock or by using the NTP server that is available on the internet. If using one's own clock, the private network has to be synchronized with the UTC through a satellite or radio.

However, while implementing NAT, one needs to be careful. There is a chance of an attacker launching a DoS attack and sending bogus NTP data over the internet to the user's network. This is done with an aim to change the time on the system's clock, rendering the digital certificates invalid. Such attacks can be prevented by using NTP version 3, which supports the cryptographic authentication mechanism between NTP partners.

This mechanism can be used along with ACLs that identify the devices that are connected to other devices in the network:

Let's see how to configure NTP from the preceding topology:

1. Configure the IP address on both routers:

R1(config)#interface fa0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R2(config)#interface fa0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown

2. Configure the key string and key ID for the secure NTP transmission:

R1(config)#ntp authentication-key 1 md5 cisco123
R2(config)# ntp authentication-key 1 md5 cisco123

3. Configure the key ID to be identified as a trusted one:

R1(config)#ntp trusted-key 1
R2(config)#ntp trusted-key 1

4. Enable the NTP authentication process:

R1(config)#ntp authenticate
R2(config)#ntp authenticate

5. Configure R1 to be the NTP master:

R1(config)#ntp master

6. Configure R2 to receive the time source from R1:

R2(config)#ntp server 10.1.1.1