Spectracom - Essential Ingenuity

NTP access restriction

Tutorial Steps

If desired, there is a way to restrict NTP access to only certain individual node(s) or subnet(s) within the time server. This capability is known as “NTP Access Restriction”.  By factory default configuration, all nodes on the network have access to request NTP time.  But as soon as one or more individual nodes or subnets are configured as having access to NTP in the SecureSync or NetClock 9400, all other nodes or subnets are inherently blocked from getting NTP time stamps from the unit.  Note the opposite configuration can also be performed, where one or more individual nodes/subnets can be denied access to NTP, thereby allowing all others to be able to access NTP.

NTP Restriction is configured in the Management -> NTP Setup page of the newer black/charcoal web browser (available in software versions 5.1.2 and above).  On the left side of this page of the browser, click on “Access Restrictions”.  This will open a pop-up window as shown below:
 
NTP Access Restrictions

These default entries can be changed or replaced to configure the access restrictions required.  When modifying or adding entries, in the pop-up window, change the “Restriction Type” field to either “Allow” (to configure which nodes/subnets to allow and block all others) or “Deny” (to configure which nodes/subnets to deny and allow all others).  Select either IPv4 or IPv6 and then enter the network parameters for each network node or subnet you wish to either allow or deny access to NTP.  If entering a single node, the IP Mask should be set to 255.255.255.255 for IPv4 or FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF for IPv6: When using NTP with Authentication, select “Require Authentication”.  To allow NTP queries (NTPQ and NTPDC)  to be performed outside of the SecureSync, select “Allow NTP queries”. Then press Submit.  

Warning about allowing NTP queries: Please note that the use of external NTP queries have been a source of vulnerabilities in NTP and is not recommended unless you fully understand that nature of the vulnerability and have evaluated the accessibility of the unit by those who could exploit the vulnerability. Consult with your network security managers if necessary.

The example screenshot below shows NTP being configured to allow NTP access to only one individual IP address (thereby blocking access to other nodes on the network(s) connected to the time server):
 
NTP Access Restriction Example
 
Repeat this configuration for each individual node or subnet you wish to either allow or deny access to NTP.

Was this information helpful?

 Yes  No