Quantcast
Channel: Johannes Weber – Weberblog.net
Viewing all articles
Browse latest Browse all 311

Palo Alto Networks NGFW using NTP Authentication

$
0
0

Everyone uses NTP, that’s for sure. But are you using it with authentication on your own stratum 1 servers? You should since this is the only way to provide security against spoofed NTP packets, refer to Why should I run own NTP Servers?. As always, Palo Alto has implemented this security feature in a really easy way, since it requires just a few clicks on the GUI. (Which again is much better than other solutions, e.g., FortiGate, which requires cumbersome CLI commands.) However, monitoring the NTP servers, whether authentication was successful or not, isn’t implemented in a good way. Here we go:

This article is one of many blogposts within this NTP series. Please have a look!

For this post I am using a PA-220 with PAN-OS 8.1.7. I am querying my Raspberry Pi w/ GPS and my Meinberg M200, both delivering NTP authentication [1, 2]. Funnily enough I can only share this single screenshot which shows everything you need to set up NTP authentication. :) It is at Device -> Setup -> Services:

Note that I am using two out of my three NTP servers, of course with different key IDs, because otherwise it wouldn’t work. (Though you actually can configure both NTP servers with the same key ID while using *different* keys, it won’t work. Hence you MUST use two different key IDs for each of them.)

However, though it was fairly easy to configure I am not completely happy about the monitoring of the NTP daemon. The system logs don’t tell that much: (Above the red line I configured my own NTP servers)

while the CLI command

show ntp
at least reveals a status of “synched“, but not clearly whether the authentication took place:
weberjoh@pa> show ntp

NTP state:
    NTP synched to ntp2.weberlab.de
    NTP server: ntp3.weberlab.de
        status: available
        reachable: yes
        authentication-type: symmetric key
    NTP server: ntp2.weberlab.de
        status: synched
        reachable: yes
        authentication-type: symmetric key

And I haven’t found any more debug logs. Hm.

Ok, so there is still some room for improvements. Likewise the number of NTP servers to configure, which should be 3 rather than 2 in order to spot a falsified timestamp delivered by one NTP server, which isn’t possible with just 2 servers at all.

Featured image “Waves” by Kacper Gunia is licensed under CC BY-NC 2.0.


Viewing all articles
Browse latest Browse all 311

Trending Articles