Spectracom - Essential Ingenuity

Verifying NTP Queries are Disabled in SecureSync and NetClock 9400

Question

How do I verify NTP Queries are disabled in SecureSync and NetClock 9400?

Answer

Several Common Vulnerability and Exposure (CVEs) have documented some problems with external control and querying of an NTP server. One example is “Monlist”, a feature that is part of NTP’s NTPDC functionality. Spectracom's SecureSync and NetClock 9400 allows NTPDC/NTPQ to be disabled (they are both disabled by factory default) so as to mitigate these potential vulnerabilities.  Note that NTPQ and NTPDC being disabled does not affect the operation of NTP synchronizing clients on the network.

If you have the newer web browser interface (software versions 5.1.2 and above): Verify both NTPQ and NTPDC are disabled by navigating to the page: Management -> NTP Setup.   On the left side of this page, click the "Access Restrictions" button.  verify that "Enable Query" column in the NTP Access Restrictions" pop-up menu (for both IPv4 and IPv6 are null as shown below).
NTP_AccessRestrict

Note: "NTP queries" (NTPQ and NTPDC) are disabled by factory default.  But if "NTP queries" have been enabled by a user for either IPv4 and/or IPv6, these fields will instead contain a number "1" (as shown below):
NTP_AccessRestrict_2

If you have the classic web browser interface (software versions 5.0.2 and below): Verify both NTPQ and NTPDC are disabled by navigating to the page: Network-> NTP Setup. Under the tab NTP Access, verify that the “Allow queries from NTPDC or NTPQ over IPV4” and the  “Allow queries from NTPDC or NTPQ over IPV6” checkboxes are not selected (as shown below).
 
Monlist for SecureSync

Was this information helpful?

 Yes  No