The AAA Service must be configured to use its loopback or OOB management interface address as the source address when originating NTP traffic.

From Authentication Authorization and Accounting Service Security Requirements Guide

Part of SRG-APP-000516-AAA-000037

Associated with: CCI-000366

SRG-APP-000516-AAA-000037_rule The AAA Service must be configured to use its loopback or OOB management interface address as the source address when originating NTP traffic.

Vulnerability discussion

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate. Additionally, unnecessary synchronization may have an adverse impact on system performance and may indicate malicious activity. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. NTP provides an efficient and scalable method for network devices to synchronize to an accurate time source.Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses. NTP messages sent to management servers should use the loopback address as the source address.

Check content

Verify the AAA Service is configured to use its loopback interface address as the source address when originating NTP traffic. When the AAA Service is managed from an OOB management network, the OOB interface must be used instead of the loopback address for originating NTP traffic. If the AAA Service is not configured to use the OOB interface when managed from an OOB management network, this is a finding. If the AAA Service is not configured to use the loopback or OOB management interface as the source address when originating NTP traffic, this is a finding.

Fix text

Configure the AAA Service to use its loopback or OOB management interface address as the source address when originating NTP traffic.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer