Spectracom - Essential Ingenuity

NetClock 9400 Series

Dirty COW Vulnerability

Spectracom products running LINUX are only susceptible if an attacker is able to successfully authenticate with the product and gain shell access.

NTP Vulnerabilities Prior to Version 4.2.8p9

NTP version ntp-4.2.8p9 has been released to address multiple vulnerabilities in ntpd. Spectracom will implement NTP version 4.2.8p9 in its next release cycle.

How do I manually configure a leap second in SecureSync and NetClock 9400

Typically GPS provides these products indications of an upcoming leap second to the timing engine so all generated signals can resolve it correctly. In the case of prolonged GPS outage, or when these products are using a reference signal that is leap-second-unaware, then you can manually add the leap second indicator through the user interface.

SecureSync and NetClock 9400 Compliance Testing for Dec 31 2016 Leap Second

SecureSync and NetClock 9400 synchronization systems have been tested for proper handling of the leap second event at UTC midnight on December 31, 2016. This article summarizes the configurations tested.

Why is there a 1 second time error from my GPS reference

When GPS started broadcasting the leap second notification on July 19, 2016 for activation on Dec 31, some GPS timing receivers erroneously inserted the leap second resulting in a 1 second time error.

How do I determine the offsets between timescales in SecureSync or NetClock 9400

In the web interface, navigate to Time Management from the Management menu and view the Timescale Offset pane

How do I determine the GPS receiver type in a SecureSync or NetClock 9400

To see the GNSS/GPS Receiver version navigate to Tools >Update/Backup for the GNSS Receiver Manufacturer/Model/Version info.

NTP Throughput

SecureSync and NetClock 9400 units can process over 7,500 NTP requests per second. This capability is per system based on its main network processor. The model 1204-06 Gb Ethernet Option Module simply splits this bandwidth across its four different network interfaces.

Freeing Up Disk Space Before a Software Update

When performing a software upgrade, a SecureSync or NetClock 9400 requires additional disk space. It is recommended to ensure memory usage is less than 70% before upgrading. If memory usage is more than 70%, save and delete logs and previous update files

Required Update for SecureSync / NetClock 9400 Running v5.0.2

Spectracom SecureSync and NetClock 9400 units need a certain amount of free space on its compact flash memory. A bug in version 5.0.2 continuously creates log entries during normal operation which over a long period of time will consume memory that will compromise correct operation of the unit.

SNMP MIB files for the NetClock Model 9400 series

SNMP MIB files for the NetClock Models 9483 or 9489 can be downloaded here, extracted out of the NetClock using FTP/SCP or we can email them to you.

Synchronizing Windows Computers

Microsoft Windows PCs (such as Windows XP, 2000, 2003, 2008, 7, etc) can be configured to sync to a Spectracom NTP time server. Many newer versions of Windows use the built-in "Windows Time Service (aka W32Time) for external time synchronization. Spectracom's "Synchronizing Windows Computers" Tech Note assists with configuring Windows computers..

NTP Vulnerabilities Prior to Version 4.2.8p4

Thirteen low and medium severity vulnerabilities were identified in NTP versions 4.2.8p3 and earlier. This affects SecureSync and NetClock 9400 products running SW versions 5.3.0 and earlier, and all NetClock 9200/9300 product versions.

NTP access restriction

By factory default configuration, all nodes and subnets on the time server's network (s) have access to NTP. However, it may be desired to restrict NTP access from/to only one or more individual nodes or subnets. The Time server supports this capability of limiting access to NTP via its available"NTP Access Restriction" configuration

Interpreting free memory reported in the "top" command for SecureSync and NetClock 9400

The "top" command can report the free RAM memory for one of the processors in the unit.

"Ref ID" field for NTP references

NTP reports a "Ref ID" for each configured reference that it can sync with. With the System Reference, this will start out as ".GPS", or some other value based on the sycnhronizing reference, but it may also change to ".PPS." later on in systems with SecureSync/NetClock SW versions 5.2.0 and earlier.

Reading Internal Temperature via SNMP or the web browser

Do the time servers have an SNMP MIB variable to provide temperature? Or is there any other means of obtaining the internal temperature?

How Does a Leap Second Affect My GPS Time Server

Spectracom GPS time servers automatically manage the leap second correction. They follow GPS, NTP, and PTP specifications so no user interaction is required. We recommend evaluation and testing your NTP clients' ability to correctly manage a leap second event.

"FORBIDDEN" message displayed when attempting to access the Web Browser

After firmware update there is a possibility the web UI will not open correctly in a SecureSync or a NetClock 9400

Using Log Files to Troubleshoot Synchronization

SecureSync and NetClock units have extensive logging capabilities that are very useful when troubleshooting issues with synchronization

Verifying NTP Queries are Disabled in SecureSync and NetClock 9400

Several NTP vulnerabilities are associated NTP’s NTPQ or NTPDC functionality. The Spectracom SecureSync and NetClock 9400 defaults NTPQ/NTDC to be disabled which mitigates these types of vulnerabilities. Note that NTPQ and NTPDC being disabled does not affect the operation of NTP synchronizing clients on the network.

NTP Vulnerabilities Prior to Version 4.2.8

On December 18, 2014, several NTP vulnerabilities were published as CVE-2014-9293 thru 9296. The vulnerabilities are based on queries from an unknown entity. By default external queries are turned off in SecureSync and NetClock products and are appropriate mitigation against these vulnerabilities.

Troubleshooting Holdover

If a SecureSync or NetClock 9400 either loses all of its input reference or if the TFOM value ever exceeds the user-configurable MAXTFOM value, it will go into Holdover mode and assert the Holdover alarm (and the associated Minor alarm).

Check the Installed Version of Software for SecureSync or NetClock 9400

via web browser and versions web page, front panel display or command line interface

About MaxTFOM

The NTP server has an available field called "MaxTFOM" (Maximum Time Figure Of Merit). This is a user-configurable field that can be used to alert to the TFOM (Time Figure Of Merit) exceeding this value.

Bash Bug Susceptibility

Bash is used in Spectracom's NetClock 9200, 9300, 9400 and SecureSync network applicance although the risk is minimal. This article describes the patch schedule, analysis of risk, and recommendations for those who are concerned about the vulnerability.

POODLE Vulnerability

How to mitigate the POODLE vulnerability by disabling SSLv3, before Spectracom software fixes for SecureSync and 9400 models will eliminate the issue.

Are Spectracom Products Susceptible to the Heartbleed Bug?

The vulnerability in Open SSL, known as the Heartbleed bug, makes some Spectracom products susceptible. A software patch fixes the bug. Alternatively network access controls, shutting down the management port, and changing user passwords are mitigating actions.

FIPS-140 compliancy

Per http://en.wikipedia.org/wiki/FIPS_140-2, The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2),[1][2] is a U.S. Government computer security standard used to accredit cryptographic modules.

How to set a login inactivity or "Idle Timeout" on the Securesync or NetClock 9400

Setting the Idle Timeout is done only from the Classic Interface of the web UI. There is currently no setting in the new web UI.

Disable Classic Interface browser

Starting in software update version 5.1.4, the "Classic Interface" web browser can be disabled as desired, via the newer web browser.

Outputting position information

Time servers can output position info (consisting of latitude, longitude and altitude) using various methods. These include the ability to it display it on the front panel LCD, or outputting it via SNMP, an available CLI command, or an available RS-485/RS-232 ASCII output Option Card installed in the rear panel Option Bays (not available on all Models).

Manually Setting the System Time

SecureSync and NetClock time servers have the ability to sync to several types of external time references (such as GPS and/or IRIG for examples). But they also have the ability to sync to itself, using the "User" mode. The User mode allows the time server to go to NTP Stratum 1 without the need for external references to be applied.

Version 5.1.2 disabled user-level access to internal services

Version 5.1.2 disabled user-level access to internal services

HTTPS Certificate Request will not accept my Passphrase

Non- Alpha numeric characters are not accepted in the Certificate Request in the new SecureSync or 9400 web browser firmware versions 5.1.4.

Password expires today

While logging into the web browser using LDAP or Radius, "Password expires today" is displayed.

How to Replace the Battery in a SecureSync or NetClock 9400

SecureSync time and frequency synchronization system and NetClock 9400 time server/master clock contains a Lithium Battery for the purpose of providing power to the real time clock on the processor board. This keeps the time and date for the system BIOS when the SecureSync is powered down. When replacing the battery, the BIOS clock power will be temporarily interrupted and the BIOS clock will stop counting. This is not a problem if the interruption in battery power is for a short time period. The battery life is rated for at least five years of continuous power down condition. It will not drain if the unit is powered up.

SecureSync/9400 3D CAD Drawing

A .stp CD CAD file and .pdf is available for the SecureSync

Local Time display in browser

Starting in Archive software version 5.1.2, Local Time can also be displayed in the upper-left corner of the web browser, in addition to UTC time.

Compliance of Spectracom Time Servers with RFC 2783 - Operating System Time Discipling by 1PPS

List NTP Clients Receiving Time from SecureSync/NetClock 9400 Using Monlist

ntpdc monlist command can be run from the command line interface to ID the NTP Clients

NTP's "Local (0)" Clock reference

NTP's "Local (0)" Clock reference listed in the Status-> NTP page of the browser In Archive software versions prior to version 5.0.0, a "Local (0)" clock reference may be listed in the Status-> NTP page of the browser. In software versions 5.0.0 and above, this "Local (0)" clock reference is only momentarily listed, when the time server is exiting Sync state (going out of sync). Then its removed again.

"No Licenses" displayed on the front panel LCD

Unless the time server is purchased with Glonass or other satellite tracking capability enabled, or unless a License file has been installed in the time server, the Home - > System -> Lic menu on the front panel LCD window will display "No Licenses".

Reporting the time offset between a Windows PC and NTP server

Windows w32tm has a utility called "stripchart" which can provide periodic (such as every two seconds by default) time differences between a Windows PC and an NTP server on the network. This can either be the same NTP server that it normally syncs with, or any other NTP server on the network.

List of NTP clients getting time from the NTP server

Starting in Archive software version 5.1.0, the web browser can display a list of up to about 600 NTP clients on the network that have obtained time from the NTP server.

Factory Default Login Credentials

Default username and password for SecureSync and NetClock 9400.

Front panel and Web User Interface show the IP address as "0.0.0.0"

In Archive Software Versions 5.0.0 through 5.1.0, the IP address will be displayed as "0.0.0.0" on the front panel and in the Web UI, if the corresponding Ethernet port (Eth0, and/or Eth1/Eth2/Eth3 – if installed) is not connected to a network hub, switch or a stand-alone PC. This indicates this Ethernet interface is currently "down" because its not detecting a connection to another network device (hub/switch or computer). Note: Archive software version 5.1.2 improves this indication by now also displaying the word "Unplugged" on the front panel and showing "Cable Unplugged" in the web browser.

TimeView Display Clock is Not Showing All Segments

If a TimeView display clock has recently been connected to a Spectracom NetClock, and some of the segments aren't lit (such as hours and minutes are displayed but the seconds portion is dark, OR the seconds portion is displayed but the hours and minutes section is dark), the NetClock's Remote output is likely configured to output more than one Data Format.

Why does "NTP" indicate "Not Valid" in the NTP Reference Status table

The Reference Status table (Status -> Time and Frequency page of the browser) reports the validity of the input references (not outputs). NTP output status is indicated at the top of the Status -> NTP page of the browser.

Reported CPU usage

In SecureSync and NetClock 9400, the microprocessor for the Operating System can report its percentage of usage. This processor is for the OS, the web browser and daemons that are running. This is not the same processor that is used for the rest of the core functionality of the NTP server.

Redundant NTP Servers for Automatic Failover

Most newer Models of NTP time servers can be NTP peered together for continued NTP operation upon loss of GPS reception. NTP clients can often be configured to get time from more than one NTP server for automatic fail-over capability (this is dependent upon the NTP client software running on the clients).

How to Display GPS Information on the Front Panel

If desired, the NTP server can display information about the GPS receiver on the front panel LCD. The information it can display includes the number of satellites being tracked, their relative signal strengths and

Default BIOS date/time are displayed after each power-up

Default BIOS date/time are displayed after each power-up

Using Automachron to Test a Spectracom NTP Server

Automachron (freeware) is a great utility for testing the NTP output of a Spectracom NTP time server.

Reset the spadmin account password

The spadmin account password, if not known, can be reset back to the factory default value using the time server's front panel LCD/keypad. The factory default password is "admin123" (case-sensitive). This is available in SecureSync and NetClock 9400 products only.

Certificate of volatility for the NetClock Models 9483 and 9489

Certificate of volatility/memory sanitization for NetClock Model 9400 series NTP servers

Web browser is displaying "failed to insert the session"

Configuration back-ups performed with Archive version 4.8.x software installed are not compatible with the configurations in Archive versions 5.0.0 and higher. A "clean" needs to be performed to restore operation.

How to view the NetClock's logs (log entries) with the CLI interface

The NetClock's logs can be viewed via a telnet/ssh connection, in addition to viewing them in the web browser.

Software upgrade for SecureSync or NetClock 9400

Update using the web browser interface

Products

Products