Why You Need A Network Time Server
Time is critical for transactions across computer networks. Many events on the network need accurate time to initiate and control processes, and complete transactions such as authentication. Accurate time for time stamps and log files is also very important for billing systems, network diagnostics, digital forensics, high-reliability databases and process analysis.
Yet clocks in electronic devices are not designed for accuracy. A typical clock can drift more than one hour in a year. The solution is to employ network time synchronization.
Time synchronization is an important criterion for efficient network operations. A network time synchronization implementation is simple and relies on a network time server as a network master clock. The characteristics of a network time server determine the security, reliability, and accuracy as well as the ease of manageability of the network time application.
Characteristics of a secure, reliable and accurate network time synchronization application:
- Network time synchronization occurs between servers and clients via network time protocol (NTP).
- A master time source known as an NTP time server is used to time synchronize a network.
- The time server must be behind the firewall for security.
- A stratum-1 time server is directly traceable to national standards for accuracy; typically through GPS transmissions.
- The time server must be available and accurate 24/7 for reliability.
- A hardware time server appliance greatly improves the manageability of the network.
How are stratum levels related to accuracy?
Stratum levels are used to indicate the traceability path from the atomic clocks operated by national standards organizations. These “official time clocks” are defined as stratum-0 clocks as they are the most accurate. However stratum-0 time sources can not be used on a network. Stratum-1 time sources are directly traceable to national standards. Stratum-1 time servers get their time by direct connection to atomic clocks through GPS transmissions, long-wave radio signals such as WWV, or dial-up modem.
Stratum-1 time servers act as the primary network time standard. Stratum-2 time servers get their time from stratum 1 sources, and so on. Higher stratum levels (stratum-2, stratum-3, stratum-4, etc) are deemed less accurate than their source due to transmission delays by about 10-100 milliseconds per stratum level. Typically NetClock time servers use the GPS broadcast as the primary source of official time, although other time sources can be used as primary or as back-up to GPS time as is the case with dial-up modem.
SecureSyncs are stratum-1 time servers that offer the accuracy, reliability and security that you need for an efficient and reliable network.
What is NTP (network time protocol)?
While a variety of time services are available to use for network time synchronization, the most widely used and well established protocol is known as network time protocol or NTP. NTP is a UDP protocol for IP networks. The Internet Engineering Task Force has formalized the current standard of NTP (version 4) in RFC 5905. Simple network time protocol, SNTP, the latest standard formalized as RFC 4330, uses a less complex client implementation.
A time synchronization solution requires client software to read NTP packets generated by an NTP server and synchronize the local clock. The time server function is the same in either NTP or SNTP, the only difference is with the client software.
Why not use an Internet time server?
Internet-based time servers operated by universities and government organizations are available for public use. However, NTP requires an open port (UDP port 123) in the firewall for the NTP packets to get through. Open ports in the firewall are a security risk for you, as a network operator, and can affect the reliability and accuracy of public time servers as they are easily exploited in “Denial of Service” attacks even if inadvertent.
In May 2003, an internet time server operated by the University of Wisconsin, Madison was the recipient of a continuous large-scale flood of traffic resulting in greatly reduced availability of the server for many months. It was later determined that the source of the “attack” was based on a programming bug in the firmware of inexpensive routers for home and small business use.
Accuracy is another concern of internet time servers. The latest survey of the NTP time server network from MIT uncovered two problems: the number of bad time servers on the internet, as well as the unbalanced load. Only 28% of the time servers indicated as stratum 1, appeared to be useful.
Another concern effecting accuracy is the concern over spoofing. Spoofing is the act by a third party to create IP packets using someone else’s IP address. Don’t take the chance of using fake NTP packets for your network synchronization.
How do I configure NTP clients?
Client software for network time protocol is widely available for a variety of operating systems and is typically pre-installed in servers, workstations, firewalls and routers. Configuring an NTP or SNTP client is straightforward. Support can be found on this site and many others for configuring Windows time services such as W32time. Third-party software is available to improve the functionality of the NTP client application. We offer a suite of NTP software for Windows clients called PresenTense. PresenTense greatly improves the management and reliability of the time synchronization application through the use of real-time monitoring, extensive logging, email alerts, built-in redundancy, and higher accuracy.
How a time server supports regulatory compliance
Network time synchronization supports many laws and standards requiring network accuracy, security, and reliability.
The following are examples of regulations that drive the need for time synchronization in the network.
|Sarbanes-Oxley||accuracy of financial reporting|
|HIPAA||patient privacy in health care|
|Order Audit Trail System (OATS)||elimination of fraudulent security trades|
|CFR 21, Part 11||accuracy of electronic records for drug manufacturers and others|
|Payment Card Industry – Data Security Standards||security of cardholder data|
|North American Electric Reliability Council (NERC)||Requirements for a reliable and secure bulk power system.|
The Sarbanes-Oxley Act
“SOX” requires top executives of public companies to personally certify the accuracy of financial reports. Section 404 requires an organization to assess internal control systems for accuracy. Typically you need to answer the following questions: who was in what system, what they did, why they were there, and how long they were there. The accuracy of log files and time stamps is important for the network control required to ensure compliance. Accurate time synchronization of the entire IT infrastructure supports SOX compliance.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA legislation was a wide ranging act to improve various aspects of the health care industry. In addition to ensuring portability and continuity of health insurance coverage, rules and standards have been added to ensure privacy of patient records and specifically for the security of health information. A network access control is crucial to show compliance to HIPAA. Accurate time stamps are particularly called out in the regulation as a contributing factor for appropriate access controls. Time synchronization of the network of health care providers helps ensure compliance to the HIPAA regulations.
NASD’s Order Audit Trail System (OATS)
National Association of Securities Dealers (NASD) order audit trail system (OATS) requires those involved with financial exchanges to track trades to within 3 seconds of the international time standard known as UTC, including latencies.
In an attempt to reduce identity theft, this 1999 law protects the privacy of customers of financial institutions. It is crucial that financial organizations take reasonable steps to secure the privacy of customer records from the inside and outside the network. Similar to other regulations, time synchronization of the business systems is an enabler for securing records such as customer data.
Code of Federal Regulations (FDA)
The code of federal regulations includes Food and Drug Administration’s guidelines for the development, manufacture and sale of products that can affect the health and safety of the public. Specifically title 21, part 11 requires businesses in certain industries such as pharmaceutical manufacturing to employ procedures and controls to ensure the authenticity, integrity and confidentiality of electronic records. To satisfy this requirement, organizations must ensure that computer generated time stamps are accurate.
Payment Card Industry – Data Security Standards
PCI-DSS applies to all who store, process or transmit cardholder data. A requirement include data and time stamping with synchronized system clocks.
North American Electric Reliability Council (NERC)
The Federal Energy Regulatory Commission (FERC) has backed NERC’s requirements for all users, owners and oeprators of the bulk-power system including mandatory cyber security standards. NERC’s Control System Working Group lists inadequate or non-existant digital forensic and audit trails as a top 10 vulnerabilty of the power grid. Top mitigation requirements include time synchronization of system logs and sequence-of-event recorders as described in Security Guideline for the Electricity Sector: Time Stamping of Operational Data Logs. Along with the benefits of new network applications, controls are required to ensure the accuracy and security of data. A NetClock time synchronization solution directly supports the mission of the network administrator.