UCF STIG Viewer Logo

Before establishing a connection with a Network Time Protocol (NTP) server, the Cisco ISE must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server. This is required for compliance with C2C Step 1.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242603 CSCO-NC-000290 SV-242603r855860_rule Medium
Description
If the NTP server is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate and affect scheduled actions. NTP authentication is used to prevent this tampering by authenticating the time source. Currently, AES block cipher algorithm is approved for use in DoD for both applying cryptographic protection (e.g., encryption) and removing or verifying the protection that was previously applied (e.g., decryption). NTP devices use MD5 authentication keys. The MD5 algorithm is not specified in either the FIPS or NIST recommendation. However, MD5 is preferred to no authentication at all. The trusted-key statement permits authenticating NTP servers. The product must be configured to support separate keys for each NTP server. Severs should have a PKI device certificate involved for use in the device authentication process.
STIG Date
Cisco ISE NAC Security Technical Implementation Guide 2022-09-14

Details

Check Text ( C-45878r812787_chk )
If DoD is not at C2C Step 1 or higher, this is not a finding.

Verify NTP setting to ensure NTP will be authenticated.

From the CLI:
1. Type "show running-config | in ntp".
2. Verify that each defined NTP server has a key on the same line defining the server and make a note of the key number.
3. Verify that each NTP Key number used is created.

If there is an NTP source without an NTP key defined and it is a domain controller, this is not a finding as Windows server does not support NTP keys.

If there are any other NTP sources that do not use a defined key, this is a finding.

Note: Each ISE node must be individually checked as NTP settings are local to each appliance.
Note: There are NTP settings in the GUI; however, it is recommended to use the NTP setting solely in CLI to prevent issues.
Fix Text (F-45835r714118_fix)
Configure the NTP server to be authenticated.

From the CLI:
1. Type "configure terminal".
2. Define an NTP authentication key "ntp authentication-key md5 plain .
3. Define an NTP server and associate it with the configured NTP key "ntp server key ".
4. Type "exit" and press enter.
5. Type "write memory" and press "Enter".

If a domain controller is used for NTP, then a key cannot be used as Windows servers do not support NTP keys.

Note: Each ISE node must be individually checked as NTP settings are local to each appliance.
Note: There are NTP settings in the GUI; however, it is recommended to use the NTP setting solely in CLI to prevent issues.