Unlike multi-application devices or typical servers, Network Time Servers are designed to serve one specific purpose: the continuous and precise synchronisation of time across your network.
The following steps are those which are recommended to increase security for a Netsilon Time Server operating behind a firewall on a private network.
Change Your Default Password
Your Netsilon Time Server will come preconfigured with a default password. This should be changed immediately. It is advised that this new password be distributed to as few people as possible, since it is usually just the network administrator who requires access to the time server.
Disable Unnecessary Protocols
The following services will initially be running on your new Netsilon Time Server:
- HTTP
- HTTPS
- SNMP
- SSH
- TELNET
- NTP
- PTP (If option purchased)
- TIME
- DAYTIME
Any protocols that you do not need should be disabled as soon as possible. Please refer to the Netsilon User Manual for more information: https://www.bodet-time.com/support/documents-database/time-server.html
Session Encryption
SSH (Secure Shell Protocol) should always be used when logging in to the system. To ensure this, Telnet should be disabled.
Use of Authentication
MD5 authentication should be used by all NTP clients, and NTP access to any host not using authentication should be disabled. The Netsilon Time Server’s default configuration is to respond to NTP requests from clients whether they are using MD5 authentication or not. It is strongly recommended that the factory-default MD5 keys are modified, before configuring all clients to use the same MD5 authentication keys.
Restrict Access
Through NTP and other timing protocols, many users will have access to your time server. To preserve security, direct access should be limited to your network administrator. Any additional access should be restricted to specific hosts and no more than two users. For a further level of security, all protocols apart from NTP and any additionally required timing protocols can be eliminated, and the local RS-232 console port used to configure and monitor the Netsilon Time Server.
Keypad Configuration Lockout
To prevent any unauthorised tampering with the Netsilon Time Server, lockout configuration through the keypad.
Firmware & Software Updates
Periodically, Bodet release new versions of firmware to address serious vulnerabilities, fix known bugs and enhance the product. Ensure your Netsilon Time Server is updated with the latest firmware release available.
Your NTP clients should similarly be updated with the latest software, and configured to use MD5 authentication as described above.
Archive Log Files
As part of the troubleshooting process or when investigating a compromised machine, system logs are critical. We strongly recommend utilising the Netsilon Time Server’s ability to send logs to a remote collector through syslog. Should you ever experience any unauthorised access attempts, these will be logged together with the relevant IP address.