Security log time for recording criminal evidence with NTP Protection

Network security problems involve many aspects. For example, the time when a security problem occurs is of great significance for us to analyze and solve the problem. This document describes how to synchronize the time of network devices from the perspective of security logs.

Network Time Protocol

The Network Time Protocol (NTP) is a time synchronization protocol that provides services for computer clocks over the Internet. It provides a synchronization time mechanism that can adjust time allocation at the speed of light on a large and complex Internet.

On the other hand, it is vital for enterprises to take measures to ensure the time synchronization between their networks and devices. Therefore, many enterprises use the Network Time Protocol. This protocol is designed to keep the computer in the network synchronized with the clock and has been in use for a long time.

However, if security devices in the network are involved, such synchronization is of even greater significance. It is important that the logs generated by these security devices reflect the correct time. When the user's network is processing massive data, if the time is incorrect or does not match, it is impossible to associate the log file with different source addresses.

If the log files are not in coordination with each other, your security related tools will be meaningless. A non-synchronous network means that it takes a lot of time to manually track various security events. Next we will discuss how to maintain network synchronization and ensure that security logs are displayed at the correct time.

Time found

The Network Time Protocol Project (www.ntp.org) maintains a large number of public and private time source lists. If your company does not have an internal time source to synchronize your network, refer to this list. With this list, you can find the Primary and Secondary time servers in the region where you are located.

Coordination time

The next step is to synchronize the network time. From all network devices, select two routers that can receive time from the external world and release the time to the remaining devices in the network. These two routers are usually located at the edge of the network and are directly connected to the Internet.

The following is an example. We will describe in detail the necessary steps to determine the Network Time Protocol servers for the two Cisco routers and update their software clock.

Log on to the vro as a Super User after finding the time source in the region where the user is located. Then, run the following command:

Router # Config terminal
Router (config) # ntp server TimeServerOne prefer
Router (config) # ntp server TimeServerTwo
Router (config) # ntp update-calendar

These commands set TimeServerOne (the user should replace TimeServerOne with the IP address of the selected time server) as the original (primary) time server. Of course, you should replace the TimeServerTwo here with the IP address of the server at the second time. The update-calendar command configures a router to update its hardware clock from the Software Clock. Next, configure other network devices to get time from these routers. The following is an example:

Router # Config terminal
Router (config) # ntp server RouterOne
Router (config) # ntp server RouterTwo
Router (config) # ntp update-calendar

Allows time to securely serve users

By default, all interfaces disable the NTP service unless you release the first NTP command. To ensure security, it is a good idea to prevent devices from receiving or transmitting NTP packets-I don't think users want to be the (synchronous) Timing source for the entire internet.

You can disable the NTP service for a specific port by executing the following command in the Interface Configuration command:

Router (config-if) # ntp disable

Conclusion

The time when a security issue occurs may mean more in-depth issues. If your security logs become evidence in litigation, it is very important to provide security questions how security issues occur and develop step by step in the user's network-the user needs to do this in an understandable, non-technical way. Time may be a key aspect that judges can understand. In a sense, keeping the network synchronized means the difference between guilt and innocence. This is another important reason for users to set a reliable time source for their networks.