Is Opening NTP Outbound from my network dangerous?

[Galpersonal]

Hello -

I want to know if it's not a good idea to open Outbound NTP through my
network. I have many CE 4.2 devices that can time sync to time.windows.com
but I'm not sure of the security ramifications. However, I really need to
make sure my CE devices have the correct time.

I know that I can purchase an internal NTP server, but I want to know if
it's op to open NTP Outbound through my firewall.

Thanks everyone!

 

[Paul G. Tobey [eMVP]]

This is the stream protocol NTP or the datagram protocol? I don't see a
problem opening an outbound port if you're talking about the ability to make
a stream connection to an external server. If you open the datagram port,
you might accidentally allow some significant DOS traffic, if someone chose
to attack that port with a bunch of random UDP packets or something.

Paul T.

 

[Galpersonal]

I'm taking about opening up these protocols to go OUTBOUND through my
firewall (I'm not sure which one I need, so I'd open both):

ntp 123/tcp Network Time Protocol
ntp 123/udp Network Time Protocol


http://www.iana.org/assignments/port-numbers



But you are saying that if I had UDP open outbound, someone from inside my
network could start a Denial of Service attack on Network Time SErvers on
the Internet? Wouldn't that be the case for those NTP servers anyway (even
if I kept my outbound ports closed, others could still DOS them)




"Paul G. Tobey [eMVP]" <p space tobey no spam AT no instrument no spam DOT
com> wrote in message news:%[email protected]...

 

[Joe Richards [MVP]]

Do you have Windows 2000 or Windows Server 2003 Servers in your
environment? If so, you should be able to use those for syncing the
devices. DCs are set up by default to do it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Galpersonal]

YES!

You are correct! Thanks!

However, sometimes we have clients that do not have Win2k or Win2k3 servers
on their network. Would opening an outbound port to NTP be a security risk?

 

[Paul G. Tobey [eMVP]]

The TCP is no problem on your device end. Since UDP requires that something
come back and since UDP is not connection-oriented, that's a potential
problem, as I said. It's the inbound that is a potential problem (you have
to receive a response to your request of the server! Otherwise NTP is
useless, right?!). Since TCP is connection-oriented and you're the client,
it's not much of a problem, but your NTP client for the UDP version must be
sitting there listening for a response from the server, so that program is
vulnerable to attack from outside. Yes, the server is also vulnerable, and,
in fact, it's vulnerable on both ports, since it has to be sitting there
listening for connections from clients, whether it's using TCP or UDP.

Paul T.

I'm taking about opening up these protocols to go OUTBOUND through my
firewall (I'm not sure which one I need, so I'd open both):

ntp 123/tcp Network Time Protocol
ntp 123/udp Network Time Protocol


http://www.iana.org/assignments/port-numbers



But you are saying that if I had UDP open outbound, someone from inside my
network could start a Denial of Service attack on Network Time SErvers on
the Internet? Wouldn't that be the case for those NTP servers anyway
(even if I kept my outbound ports closed, others could still DOS them)




"Paul G. Tobey [eMVP]" <p space tobey no spam AT no instrument no spam DOT
com> wrote in message news:%[email protected]...

This is the stream protocol NTP or the datagram protocol? I don't see a
problem opening an outbound port if you're talking about the ability to
make a stream connection to an external server. If you open the datagram
port, you might accidentally allow some significant DOS traffic, if
someone chose to attack that port with a bunch of random UDP packets or
something.

Paul T.

 

[Paul G. Tobey [eMVP]]

Yes, it's a risk. Everything is a "risk". The lower risk of the two is
TCP; the higher is UDP. Any externally visisble network connection point is
a vulnerability. You just have to balance that against the value of
actually having the ability to sync the clock!

Paul T.

 

[J Tom Moon]

==========================================================================
from http://en.wikipedia.org/wiki/NTP_vandalism
==========================================================================
The most troublesome problems have involved NTP server addresses
hardcoded in the firmware of consumer networking devices. As major
manufacturers produce hundreds of thousands of devices and since most
customers never upgrade the firmware, any problems will persist for as
long as the devices are in service.
One particularly common software error is to generate query packets at
short (less than five second) intervals until a response is received.
When such an implementation finds itself behind a packet filter that
refuses to pass the incoming response, this results in a never-ending
stream of requests to the NTP server. Such grossly over-eager clients
(particularly those polling once per second) commonly make up more than
50% of the traffic of public NTP servers, despite being a minuscule
fraction of the total clients. While it is reasonable to send a few
initial packets at short intervals, it is essential for the health of
any connectionless network that unacknowledged packets be generated at
exponentially decreasing rates. This applies to any connectionless
protocol, and many portions of connection-based protocols. Examples can
be found in the TCP specification for connection establishment,
zero-window probing, and keepalive transmissions.
==========================================================================

Unless I'm mistaken, you don't have to open your port 123 to use NTP.
You only have to contact an ntp server at it's port 123. Your packets
come from just about any of your devices ports (with some limitations).


-J Tom Moon
Qualnetics

 

[J Tom Moon]

And no, I don't think it is a "security hole" to contact an NTP server.
(I consider a security hole something that could lead to escalated
priviledge or compromise private information or SW/HW damage - this is
a clarification of semantics).
Yes, I guess it is a risk, but I think a very miniscule one.

However, you don't have to take my word for it, check this out (in the
Platform Builder help documents):
"Submitting a Firewall for Certification"
ms-help://MS.WindowsCE.500/wcecomm5/html/wce50tskSubmittingaFirewallforCertification.htm
You can pay someone to give you their word that it's a miniscule risk.

-J Tom Moon

 

[Paul G. Tobey [eMVP]]

Depends on whether you're using NTP in symmetric mode or not, indeed. If
it's symmetric, then the reply port is the NTP port, 123, yes?

Yes, perhaps the terminology I'm using is incorrect. I can conceive of
several NTP-based attacks, but none that come to mind would result in a
remote user being able to, say, read files from the CE-based device, or
erase them, unless changing the time/date of the device allowed that for
some reason.

Paul T.

 

[J Tom Moon]

Depends on whether you're using NTP in symmetric mode or not, indeed. If

it's symmetric, then the reply port is the NTP port, 123, yes?

Good thought. I was assuming the CE clients were not going to be NTP
servers (unless there is a symmetric mode between client and server?).
I must admit that most of my knowledge about NTP I learned in the past
few hours, but I have worked with firewalls! (so I'm not entirely
"shooting from the hip" .
I'm curious how the WinCE-based devices are going to be used in that
scenario.
Maybe Galpersonal will respond with a description (hint, hint).

-J Tom Moon
Qualnetics