NetClock 9400 Series
Spectracom products running LINUX are only susceptible if an attacker is able to successfully authenticate with the product and gain shell access.
NTP version ntp-4.2.8p9 has been released to address multiple vulnerabilities in ntpd. Spectracom will implement NTP version 4.2.8p9 in its next release cycle.
Typically GPS provides these products indications of an upcoming leap second to the timing engine so all generated signals can resolve it correctly. In the case of prolonged GPS outage, or when these products are using a reference signal that is leap-second-unaware, then you can manually add the leap second indicator through the user interface.
SecureSync and NetClock 9400 synchronization systems have been tested for proper handling of the leap second event at UTC midnight on December 31, 2016. This article summarizes the configurations tested.
When GPS started broadcasting the leap second notification on July 19, 2016 for activation on Dec 31, some GPS timing receivers erroneously inserted the leap second resulting in a 1 second time error.
In the web interface, navigate to Time Management from the Management menu and view the Timescale Offset pane
To see the GNSS/GPS Receiver version navigate to Tools >Update/Backup for the GNSS Receiver Manufacturer/Model/Version info.
SecureSync and NetClock 9400 units can process over 7,500 NTP requests per second. This capability is per system based on its main network processor. The model 1204-06 Gb Ethernet Option Module simply splits this bandwidth across its four different network interfaces.
When performing a software upgrade, a SecureSync or NetClock 9400 requires additional disk space. It is recommended to ensure memory usage is less than 70% before upgrading. If memory usage is more than 70%, save and delete logs and previous update files
Spectracom SecureSync and NetClock 9400 units need a certain amount of free space on its compact flash memory. A bug in version 5.0.2 continuously creates log entries during normal operation which over a long period of time will consume memory that will compromise correct operation of the unit.
SNMP MIB files for the NetClock Models 9483 or 9489 can be downloaded here, extracted out of the NetClock using FTP/SCP or we can email them to you.
Microsoft Windows PCs (such as Windows XP, 2000, 2003, 2008, 7, etc) can be configured to sync to a Spectracom NTP time server. Many newer versions of Windows use the built-in "Windows Time Service (aka W32Time) for external time synchronization. Spectracom's "Synchronizing Windows Computers" Tech Note assists with configuring Windows computers..
Thirteen low and medium severity vulnerabilities were identified in NTP versions 4.2.8p3 and earlier. This affects SecureSync and NetClock 9400 products running SW versions 5.3.0 and earlier, and all NetClock 9200/9300 product versions.
By factory default configuration, all nodes and subnets on the time server's network (s) have access to NTP. However, it may be desired to restrict NTP access from/to only one or more individual nodes or subnets. The Time server supports this capability of limiting access to NTP via its available"NTP Access Restriction" configuration
The "top" command can report the free RAM memory for one of the processors in the unit.
NTP reports a "Ref ID" for each configured reference that it can sync with. With the System Reference, this will start out as ".GPS", or some other value based on the sycnhronizing reference, but it may also change to ".PPS." later on in systems with SecureSync/NetClock SW versions 5.2.0 and earlier.
Do the time servers have an SNMP MIB variable to provide temperature? Or is there any other means of obtaining the internal temperature?
Spectracom GPS time servers automatically manage the leap second correction. They follow GPS, NTP, and PTP specifications so no user interaction is required. We recommend evaluation and testing your NTP clients' ability to correctly manage a leap second event.
After firmware update there is a possibility the web UI will not open correctly in a SecureSync or a NetClock 9400
SecureSync and NetClock units have extensive logging capabilities that are very useful when troubleshooting issues with synchronization
Several NTP vulnerabilities are associated NTP’s NTPQ or NTPDC functionality. The Spectracom SecureSync and NetClock 9400 defaults NTPQ/NTDC to be disabled which mitigates these types of vulnerabilities. Note that NTPQ and NTPDC being disabled does not affect the operation of NTP synchronizing clients on the network.
On December 18, 2014, several NTP vulnerabilities were published as CVE-2014-9293 thru 9296. The vulnerabilities are based on queries from an unknown entity. By default external queries are turned off in SecureSync and NetClock products and are appropriate mitigation against these vulnerabilities.
If a SecureSync or NetClock 9400 either loses all of its input reference or if the TFOM value ever exceeds the user-configurable MAXTFOM value, it will go into Holdover mode and assert the Holdover alarm (and the associated Minor alarm).
via web browser and versions web page, front panel display or command line interface
The NTP server has an available field called "MaxTFOM" (Maximum Time Figure Of Merit). This is a user-configurable field that can be used to alert to the TFOM (Time Figure Of Merit) exceeding this value.
Bash is used in Spectracom's NetClock 9200, 9300, 9400 and SecureSync network applicance although the risk is minimal. This article describes the patch schedule, analysis of risk, and recommendations for those who are concerned about the vulnerability.
How to mitigate the POODLE vulnerability by disabling SSLv3, before Spectracom software fixes for SecureSync and 9400 models will eliminate the issue.
The vulnerability in Open SSL, known as the Heartbleed bug, makes some Spectracom products susceptible. A software patch fixes the bug. Alternatively network access controls, shutting down the management port, and changing user passwords are mitigating actions.
Per http://en.wikipedia.org/wiki/FIPS_140-2, The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), is a U.S. Government computer security standard used to accredit cryptographic modules.
Setting the Idle Timeout is done only from the Classic Interface of the web UI. There is currently no setting in the new web UI.
Starting in software update version 5.1.4, the "Classic Interface" web browser can be disabled as desired, via the newer web browser.
Time servers can output position info (consisting of latitude, longitude and altitude) using various methods. These include the ability to it display it on the front panel LCD, or outputting it via SNMP, an available CLI command, or an available RS-485/RS-232 ASCII output Option Card installed in the rear panel Option Bays (not available on all Models).
SecureSync and NetClock time servers have the ability to sync to several types of external time references (such as GPS and/or IRIG for examples). But they also have the ability to sync to itself, using the "User" mode. The User mode allows the time server to go to NTP Stratum 1 without the need for external references to be applied.
Version 5.1.2 disabled user-level access to internal services
Non- Alpha numeric characters are not accepted in the Certificate Request in the new SecureSync or 9400 web browser firmware versions 5.1.4.
While logging into the web browser using LDAP or Radius, "Password expires today" is displayed.
SecureSync time and frequency synchronization system and NetClock 9400 time server/master clock contains a Lithium Battery for the purpose of providing power to the real time clock on the processor board. This keeps the time and date for the system BIOS when the SecureSync is powered down. When replacing the battery, the BIOS clock power will be temporarily interrupted and the BIOS clock will stop counting. This is not a problem if the interruption in battery power is for a short time period. The battery life is rated for at least five years of continuous power down condition. It will not drain if the unit is powered up.
A .stp CD CAD file and .pdf is available for the SecureSync
Starting in Archive software version 5.1.2, Local Time can also be displayed in the upper-left corner of the web browser, in addition to UTC time.
ntpdc monlist command can be run from the command line interface to ID the NTP Clients
NTP's "Local (0)" Clock reference listed in the Status-> NTP page of the browser In Archive software versions prior to version 5.0.0, a "Local (0)" clock reference may be listed in the Status-> NTP page of the browser. In software versions 5.0.0 and above, this "Local (0)" clock reference is only momentarily listed, when the time server is exiting Sync state (going out of sync). Then its removed again.
Unless the time server is purchased with Glonass or other satellite tracking capability enabled, or unless a License file has been installed in the time server, the Home - > System -> Lic menu on the front panel LCD window will display "No Licenses".
Windows w32tm has a utility called "stripchart" which can provide periodic (such as every two seconds by default) time differences between a Windows PC and an NTP server on the network. This can either be the same NTP server that it normally syncs with, or any other NTP server on the network.
Starting in Archive software version 5.1.0, the web browser can display a list of up to about 600 NTP clients on the network that have obtained time from the NTP server.
Default username and password for SecureSync and NetClock 9400.
In Archive Software Versions 5.0.0 through 5.1.0, the IP address will be displayed as "0.0.0.0" on the front panel and in the Web UI, if the corresponding Ethernet port (Eth0, and/or Eth1/Eth2/Eth3 – if installed) is not connected to a network hub, switch or a stand-alone PC. This indicates this Ethernet interface is currently "down" because its not detecting a connection to another network device (hub/switch or computer). Note: Archive software version 5.1.2 improves this indication by now also displaying the word "Unplugged" on the front panel and showing "Cable Unplugged" in the web browser.
If a TimeView display clock has recently been connected to a Spectracom NetClock, and some of the segments aren't lit (such as hours and minutes are displayed but the seconds portion is dark, OR the seconds portion is displayed but the hours and minutes section is dark), the NetClock's Remote output is likely configured to output more than one Data Format.
The Reference Status table (Status -> Time and Frequency page of the browser) reports the validity of the input references (not outputs). NTP output status is indicated at the top of the Status -> NTP page of the browser.
In SecureSync and NetClock 9400, the microprocessor for the Operating System can report its percentage of usage. This processor is for the OS, the web browser and daemons that are running. This is not the same processor that is used for the rest of the core functionality of the NTP server.
Most newer Models of NTP time servers can be NTP peered together for continued NTP operation upon loss of GPS reception. NTP clients can often be configured to get time from more than one NTP server for automatic fail-over capability (this is dependent upon the NTP client software running on the clients).
If desired, the NTP server can display information about the GPS receiver on the front panel LCD. The information it can display includes the number of satellites being tracked, their relative signal strengths and
Default BIOS date/time are displayed after each power-up
Automachron (freeware) is a great utility for testing the NTP output of a Spectracom NTP time server.
The spadmin account password, if not known, can be reset back to the factory default value using the time server's front panel LCD/keypad. The factory default password is "admin123" (case-sensitive). This is available in SecureSync and NetClock 9400 products only.
Certificate of volatility/memory sanitization for NetClock Model 9400 series NTP servers
Configuration back-ups performed with Archive version 4.8.x software installed are not compatible with the configurations in Archive versions 5.0.0 and higher. A "clean" needs to be performed to restore operation.
The NetClock's logs can be viewed via a telnet/ssh connection, in addition to viewing them in the web browser.
Update using the web browser interface