Watch Your Timing! Best Practices for NTP Time Synchronization

ntp-time-synchronizationAccurate, reliable and secure time has become essential to many types of systems, applications, and key services considered part of today’s enterprise networks.  Here’s a primer on using NTP for Time Synchronization, and best practices for keeping time accurate, reliable and secure.

If you haven’t considered your needs for Time Synchronization, or updated your approach, this post highlights some best practices, key considerations and prudent steps to consider.

Why is Time Synchronization so important?

  • For any Enterprise, time synchronization keeps Active Directory, authentication, network security services, backups, log files and audit trails in synch across different systems, for troubleshooting, auditing, and forensics.
  • In E-commerce, having “protected” time sources, and accurate timestamps referenced to Universal Coordinated Time (UTC) is a compliance requirement. Key regulatory regimes, like PCI DSS 3.0 Section 10.4, SEC Rule 613 and FINRA OATS Rule 7430, have all tightened requirements for time synchronization over the last several years.
  • For Telecom carriers, cable operators and ISPs, frequency synchronization is key to service quality for the communications flowing over their networks.
  • For wireless carriers, extremely precise time and phase synchronization at the wireless network edge is a key requirement for LTE-Advanced, TDD and other 4G standards.

Empowered works with all the key players in Canada’s service provider marketplace. We’ve been providing leading solutions, expert advice and support for frequency, time  and phase synchronization for more than a decade.  We can definitely help with Time Synchronization.

 

The Basics of Time Synchronization via NTP

While your needs and applications will vary, as a general, high-level best practice:

  • Design a “timing hierarchy” into your network, with multiple timing references, tied to GPS/GNSS, that serve time to all of your systems, applications and hosts.
  • Most will find it appropriate to implement one or more NTP servers inside your network.

If you don’t have a dedicated NTP server today, that’s a great starting point for a conversation with our synchronization experts. Contact Empowered today to expand on the points below and plan your site-specific implementation.

Enhancing Time Synchronization

If you have an existing NTP server in place, it’s prudent to review its specific features, implementation and configuration to ensure it delivers the performance you need to address today’s, and tomorrow’s, applications and services, and compliance requirements. In this context, performance means much more than the capacity of an NTP server, and how many requests per second it can handle.

The fundamental metrics of performance for Time are:

  • Security of an NTP server implementation refers to providing adequate control over access, configuration and management of the server itself, authentication and integrity of the communications between NTP servers and clients, and protection from security vulnerabilities.
  • Accuracy (and Precision) of an NTP server implementation refers to delivering “correct” time, with acceptable precision, relative to Universal Coordinated Time (UTC).
  • Reliability of an NTP server implementation is mainly about “holdover” – What happens when your NTP server loses sync with its reference source, eg. GPS/GNSS? A reliable implementation will detect and alarm when issues occur, and “holdover” until problems can be resolved.

The following are some best practices, key considerations and prudent steps to consider, in enhancing the performance of your NTP server implementation.

 

Making Time Secure

If Cyber Security, compliance requirements, or control over your network are concern for you, taking time from some source on the Internet not under your control is simply a bad idea.  Here’s some key steps to make Time Secure on your network:

  • Lock down inbound NTP through your firewall and ISP.  Blocking Outbound NTP reduces risk that your site becomes part of a DDOS attack. Inbound NTP from the Internet is not sufficiently accurate, reliable or secure, and should not take precedence over a “trusted” time source, or NTP servers that you control.
  • An NTP server with multiple, security-isolated Ethernet ports lets you serve up NTP to different “security zones” (eg. your internet-facing “DMZ”) from a single source/device.
  • Identify all instances of ntpd or other “time” services, both inside your network and in your DMZ. Servers, especially virtual servers, simply can’t keep accurate time without continuous synchronization to a trusted source. Configure them as “clients” to your trusted time source(s).
  • Security vulnerabilities, like CVE-2014-9295, can be potential attack vectors into your network.  Whatever happens, make sure you’ve checked for, and patched, common vulnerabilities, for all platforms. This applies equally to any NTP server(s) you deploy. Support and ongoing software maintenance should be part of your NTP server investment.

 

Making Time Accurate and Precise

While other options exist, GPS/GNSS is by far the industry standard, and most authoritative source for Universal Coordinated Time (UTC).  To further protect accuracy and precision, consider these steps:

  • Each NTP Server should have a GPS/GNSS Antenna that can see, and track, the signals from multiple satellites, to provide accurate, precise source of timing.
  • GPS itself has certain vulnerabilities.  An individual satellite can go out of service, for long enough to impact timing. GPS signal strength is very low and subject to interference from other signals, solar flares, and certain types of storms. Intentional jamming of GPS is more and more common.
  • GPS antennas are exposed to severe weather, and need protection from lightning. Plan for monitoring, periodic inspection, spares, and lifecycle maintenance.

 

Making Time Reliable

When (not if) your NTP server “loses” its GPS/GNSS reference, you have a limited time before timing “drifts”. Issues and errors with timing can quickly accumulate, impacting your applications and services.  Here’s some key considerations for enhancing reliability:

  • Extended Holdover options ensure your NTP server will continue to serve up accurate, precise time when problems occur.  An OCXO oscillator upgrade extends holdover for days.  A Rubidum “Atomic Clock” option extends holdover for months, up to a year.
  • Deploying redundant servers, within a given site, or in different sites, protect from individual device failures.  The NTP protocol automatically provides optimal accuracy and precision with 3 or more NTP “peer” servers.
  • Knowing that your NTP server has its timing reference, or “GPS Synch”, is key to reliability, and taking effective corrective action before timing “drifts”. An NTP server should provide flexible monitoring options, like alerts via SNMP, email, or other customizable formats.

For all the key players in Canada’s service provider marketplace, Empowered has been providing leading solutions, expert advice and support for frequency and phase synchronization for more than a decade.  Time Synchronization, for any application or customer leverages the depth and breadth of our skills.

To reconsider your needs for Time Synchronization, or address any of the steps outlined above, we’d love to hear from you, and share how we can help.

Have questions? Want Help, or a Quote?

Contact Empowered

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.