NTP Security: A Quick-Start Guide

Posted on by Ben Rothke

What does stand-up comedy, networking and internet security have in common? Their ultimate success depends a lot on timing.  When it comes to comedy, timing is measured in seconds.  In networking and security, it’s in milliseconds. 

The use of the Network Time Protocol (NTP) has long been the gold-standard for network time synchronization.  It’s been in use since the early 1980’s and is one of the oldest Internet protocols in use.

In NTP Security: A Quick-Start Guide (Apress 978-1484224113), author Allan Liska has written a highly-effective and concise guide to help the reader get up and running to securely use NTP. The book opens with a brief overview and history of time synchronization, and then gets into how to use and configure NTP.

When it comes to NTP and security, Liska writes that ironically, the set it and forget it aspect of NTP is a serious issue. This has led to a lot of entropy in the development and deployment of the protocol.  While version 4, the current version of NTP was released in 2010, far too many firms have not updated from previous insecure versions. This creates the situation where network and security teams pay very little attention to NTP until something major happens.

For those that want to know everything about NTP, written by the author of the protocol, Computer Network Time Synchronization: The Network Time Protocol on Earth and in Space (CRC Press 978-1439814635) by David Mills is the definitive reference.

For those that want a kinder and gentler reference, at 80 pages, this is indeed a quick guide that can show the reader the core ideas around secure NTP configurations and communications.  Time synchronization is a critical aspect of network security, and it’s about time for most readers to take a look at a book like this.

Ben Rothke

Senior Information Security Manager, Tapad

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community