Spectracom products running LINUX are only susceptible if an attacker is able to successfully authenticate with the product and gain shell access.
NTP version ntp-4.2.8p9 has been released to address multiple vulnerabilities in ntpd. Spectracom will implement NTP version 4.2.8p9 in its next release cycle.
Typically GPS provides these products indications of an upcoming leap second to the timing engine so all generated signals can resolve it correctly. In the case of prolonged GPS outage, or when these products are using a reference signal that is leap-second-unaware, then you can manually add the leap second indicator through the user interface.
SecureSync and NetClock 9400 synchronization systems have been tested for proper handling of the leap second event at UTC midnight on December 31, 2016. This article summarizes the configurations tested.
1204-11 or 1204-25 STANAG board can be configurable but are set to HQ 4246 by default. This article describes - How to configure STANAG 4430 PORT for SGDH application - on SECURESYNC 1204-11 or 1204-25 board
When GPS started broadcasting the leap second notification on July 19, 2016 for activation on Dec 31, some GPS timing receivers erroneously inserted the leap second resulting in a 1 second time error.
In the web interface, navigate to Time Management from the Management menu and view the Timescale Offset pane
To see the GNSS/GPS Receiver version navigate to Tools >Update/Backup for the GNSS Receiver Manufacturer/Model/Version info.
SecureSync and NetClock 9400 units can process over 7,500 NTP requests per second. This capability is per system based on its main network processor. The model 1204-06 Gb Ethernet Option Module simply splits this bandwidth across its four different network interfaces.
The SecureSync LCD may not display information on the LCD screen at startup in cold temperatures.
How is the SecureSync grounded?
When performing a software upgrade, a SecureSync or NetClock 9400 requires additional disk space. It is recommended to ensure memory usage is less than 70% before upgrading. If memory usage is more than 70%, save and delete logs and previous update files
Spectracom SecureSync and NetClock 9400 units need a certain amount of free space on its compact flash memory. A bug in version 5.0.2 continuously creates log entries during normal operation which over a long period of time will consume memory that will compromise correct operation of the unit.
The SecureSync's SNMP MIB files can be downloaded here, extracted out of the SecureSync using FTP/SCP or we can email them to you.
Microsoft Windows PCs (such as Windows XP, 2000, 2003, 2008, 7, etc) can be configured to sync to a Spectracom NTP time server. Many newer versions of Windows use the built-in "Windows Time Service (aka W32Time) for external time synchronization. Spectracom's "Synchronizing Windows Computers" Tech Note assists with configuring Windows computers..
Thirteen low and medium severity vulnerabilities were identified in NTP versions 4.2.8p3 and earlier. This affects SecureSync and NetClock 9400 products running SW versions 5.3.0 and earlier, and all NetClock 9200/9300 product versions.
By factory default configuration, all nodes and subnets on the time server's network (s) have access to NTP. However, it may be desired to restrict NTP access from/to only one or more individual nodes or subnets. The Time server supports this capability of limiting access to NTP via its available"NTP Access Restriction" configuration
The "top" command can report the free RAM memory for one of the processors in the unit.
NTP reports a "Ref ID" for each configured reference that it can sync with. With the System Reference, this will start out as ".GPS", or some other value based on the sycnhronizing reference, but it may also change to ".PPS." later on in systems with SecureSync/NetClock SW versions 5.2.0 and earlier.
Do the time servers have an SNMP MIB variable to provide temperature? Or is there any other means of obtaining the internal temperature?
IRIG outputs from SecureSync are very accurate in digital form (DCLS, Fiber), but can vary based on format in analog form (AM).
Spectracom GPS time servers automatically manage the leap second correction. They follow GPS, NTP, and PTP specifications so no user interaction is required. We recommend evaluation and testing your NTP clients' ability to correctly manage a leap second event.
After firmware update there is a possibility the web UI will not open correctly in a SecureSync or a NetClock 9400
SecureSync and NetClock units have extensive logging capabilities that are very useful when troubleshooting issues with synchronization
Skylight SecureSyncs with software version 4.7L installed cannot be software updated to versions newer than 4.7L without a factory hardware modification being performed on the SecureSync unit. For a small fee, the GPS receiver installed in the Skylight SecureSync can be replaced and a license key installed, thus allowing the SecureSync to be upgraded to software versions newer than 4.7L.
Several NTP vulnerabilities are associated NTP’s NTPQ or NTPDC functionality. The Spectracom SecureSync and NetClock 9400 defaults NTPQ/NTDC to be disabled which mitigates these types of vulnerabilities. Note that NTPQ and NTPDC being disabled does not affect the operation of NTP synchronizing clients on the network.
On December 18, 2014, several NTP vulnerabilities were published as CVE-2014-9293 thru 9296. The vulnerabilities are based on queries from an unknown entity. By default external queries are turned off in SecureSync and NetClock products and are appropriate mitigation against these vulnerabilities.
The SecureSync or NetClock 9400 needs to be synced to either itself or to an external reference such as GPS in order for it to be a useable time server among other master clock functions. When it's synced to a reference such as GPS, the Sync LED is green. But if had been synced to GPS, and reception is lost (with no other input references available), the SecureSync will go into Holdover mode (as indicated by the Sync LED changing to amber).
If a SecureSync or NetClock 9400 either loses all of its input reference or if the TFOM value ever exceeds the user-configurable MAXTFOM value, it will go into Holdover mode and assert the Holdover alarm (and the associated Minor alarm).
via web browser and versions web page, front panel display or command line interface
The NTP server has an available field called "MaxTFOM" (Maximum Time Figure Of Merit). This is a user-configurable field that can be used to alert to the TFOM (Time Figure Of Merit) exceeding this value.
Bash is used in Spectracom's NetClock 9200, 9300, 9400 and SecureSync network applicance although the risk is minimal. This article describes the patch schedule, analysis of risk, and recommendations for those who are concerned about the vulnerability.
Except during power-up, there are always 10 million cycles of 10MHz between each 1PPS output.
How to mitigate the POODLE vulnerability by disabling SSLv3, before Spectracom software fixes for SecureSync and 9400 models will eliminate the issue.
The vulnerability in Open SSL, known as the Heartbleed bug, makes some Spectracom products susceptible. A software patch fixes the bug. Alternatively network access controls, shutting down the management port, and changing user passwords are mitigating actions.
Per http://en.wikipedia.org/wiki/FIPS_140-2, The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), is a U.S. Government computer security standard used to accredit cryptographic modules.
Setting the Idle Timeout is done only from the Classic Interface of the web UI. There is currently no setting in the new web UI.
Starting in software update version 5.1.4, the "Classic Interface" web browser can be disabled as desired, via the newer web browser.
Time servers can output position info (consisting of latitude, longitude and altitude) using various methods. These include the ability to it display it on the front panel LCD, or outputting it via SNMP, an available CLI command, or an available RS-485/RS-232 ASCII output Option Card installed in the rear panel Option Bays (not available on all Models).
SecureSync and NetClock time servers have the ability to sync to several types of external time references (such as GPS and/or IRIG for examples). But they also have the ability to sync to itself, using the "User" mode. The User mode allows the time server to go to NTP Stratum 1 without the need for external references to be applied.
Version 5.1.2 disabled user-level access to internal services
Non- Alpha numeric characters are not accepted in the Certificate Request in the new SecureSync or 9400 web browser firmware versions 5.1.4.
While logging into the web browser using LDAP or Radius, "Password expires today" is displayed.
This article helps identify the names of the 3 connectors available on the 1204-01 FREQ/1PPS Module of the SecureSync.
SecureSync time and frequency synchronization system and NetClock 9400 time server/master clock contains a Lithium Battery for the purpose of providing power to the real time clock on the processor board. This keeps the time and date for the system BIOS when the SecureSync is powered down. When replacing the battery, the BIOS clock power will be temporarily interrupted and the BIOS clock will stop counting. This is not a problem if the interruption in battery power is for a short time period. The battery life is rated for at least five years of continuous power down condition. It will not drain if the unit is powered up.
A .stp CD CAD file and .pdf is available for the SecureSync
The Model 1204-0F Option card provides three available dry contact closure relays that can be activated upon a Minor or Major alarm being asserted.
Starting in Archive software version 5.1.2, Local Time can also be displayed in the upper-left corner of the web browser, in addition to UTC time.
ntpdc monlist command can be run from the command line interface to ID the NTP Clients
NTP's "Local (0)" Clock reference listed in the Status-> NTP page of the browser In Archive software versions prior to version 5.0.0, a "Local (0)" clock reference may be listed in the Status-> NTP page of the browser. In software versions 5.0.0 and above, this "Local (0)" clock reference is only momentarily listed, when the time server is exiting Sync state (going out of sync). Then its removed again.
Unless the time server is purchased with Glonass or other satellite tracking capability enabled, or unless a License file has been installed in the time server, the Home - > System -> Lic menu on the front panel LCD window will display "No Licenses".
Windows w32tm has a utility called "stripchart" which can provide periodic (such as every two seconds by default) time differences between a Windows PC and an NTP server on the network. This can either be the same NTP server that it normally syncs with, or any other NTP server on the network.
Starting in Archive software version 5.1.0, the web browser can display a list of up to about 600 NTP clients on the network that have obtained time from the NTP server.
Default username and password for SecureSync and NetClock 9400.
In Archive Software Versions 5.0.0 through 5.1.0, the IP address will be displayed as "0.0.0.0" on the front panel and in the Web UI, if the corresponding Ethernet port (Eth0, and/or Eth1/Eth2/Eth3 – if installed) is not connected to a network hub, switch or a stand-alone PC. This indicates this Ethernet interface is currently "down" because its not detecting a connection to another network device (hub/switch or computer). Note: Archive software version 5.1.2 improves this indication by now also displaying the word "Unplugged" on the front panel and showing "Cable Unplugged" in the web browser.
The Reference Status table (Status -> Time and Frequency page of the browser) reports the validity of the input references (not outputs). NTP output status is indicated at the top of the Status -> NTP page of the browser.
In SecureSync and NetClock 9400, the microprocessor for the Operating System can report its percentage of usage. This processor is for the OS, the web browser and daemons that are running. This is not the same processor that is used for the rest of the core functionality of the NTP server.
Most newer Models of NTP time servers can be NTP peered together for continued NTP operation upon loss of GPS reception. NTP clients can often be configured to get time from more than one NTP server for automatic fail-over capability (this is dependent upon the NTP client software running on the clients).
Certain Simulcast Radio systems like the Motorola MLC-8000/GTR Radio System may require a 5 MHz square wave / 1PPS composite signal for synchronization. This can be produced by using the 1204-17 Square wave output option card in a Securesync. Using the following configuration the resulting signal will consist of a 5 MHz TTL with 50nS pulse width including a 150nS pulse on the 1PPS interval as a marker.
If desired, the NTP server can display information about the GPS receiver on the front panel LCD. The information it can display includes the number of satellites being tracked, their relative signal strengths and
SecureSync's shock and vibe certifications used testing methods according to MIL-STD-810F.
What is the SecureSync AC power draw?
Skylight SecureSyncs are designed for use with an internal GPS antenna. Skylights with Archive software version 4.7L installed (as reported in the Tools -> Versions page of the browser) have additional, unique configurations to help then better operate with a GPS antenna installed indoors. These configurations are for A-GPS (Assisted GPS) functionality.
Default BIOS date/time are displayed after each power-up
Automachron (freeware) is a great utility for testing the NTP output of a Spectracom NTP time server.
The spadmin account password, if not known, can be reset back to the factory default value using the time server's front panel LCD/keypad. The factory default password is "admin123" (case-sensitive). This is available in SecureSync and NetClock 9400 products only.
Configuration back-ups performed with Archive version 4.8.x software installed are not compatible with the configurations in Archive versions 5.0.0 and higher. A "clean" needs to be performed to restore operation.
The SecureSync's logs can be viewed via a telnet/ssh connection, in addition to viewing them in the web browser.
What is the humidity rating for the SecureSync?
What are the specifications for the redundant AC Input?
Is the SecureSync DC input available with a locking connector?
What is the AC input current draw?
What is the altitude limitations for the internal power supply (AC and DC)?
Does SecureSync comply with MIL STD 461F for submarine or STANAG 4370?
Where is the center of gravity in the Securesync?
Is there any automatic regulation (for example against temperature variations) of the lightning of the front panel?
What type of coating covers the SecureSync chassis?
Does Spectracom recommend rack-mount slides that can be used with SecureSync?
What hardware is supplied with SecureSync rack ears?
Is there an optional rear support mounting bracket available for the SecureSync?
Does Spectracom offer a rack mount slide?
Update using the web browser interface