|
'A man with one clock knows the time, a man
with two clocks is not sure'. Computer clocks are based on
inexpensive oscillator circuits or battery backed quartz crystals
and can easily drift seconds per day, accumulating significant
errors over time.
Unsynchronized computer clocks in the enterprise Information
Infrastructure would have significant impact on network and
security operations. 'Close enough' computer clock synchronization
is not enough - especially when building defences against
information attacks by cyber-crime syndicates and nation-state
adversaries who can take advantage of lack of computer clock
synchronization to camouflage large-scale information attacks
to look as though they were isolated instances of 'script
kiddie' probes in different segments of the enterprise networks.
Lack of time synchronization would affect enterprise networks
in three key areas:
Security
Access security and authentication
Most modern authentication protocols require accurate
time. For example, in Windows 2000 the default authentication
protocol (Kerberos Version 5) uses workstation time as part
of the authentication ticket generation process.
Time synchronization is so vital in Windows 2000, that it
includes the W32Time time service tool whose purpose is to
ensure that all Windows 2000-based computers in an organization
use a common time.
The Windows time service uses a hierarchical relationship.
All client desktops and member servers nominate their inbound
authenticating domain controller as their time partner. This
continues up through the hierarchy of domains to the primary
domain controller (PDC) at the root of the forest.
This PDC is set to synchronize with a reliable time source,
such as a dedicated network time server. If a time server
is not available and the time difference between domain controllers
drifts beyond the skew allowed by Kerberos, authentication/logon
between two domain controllers may not succeed.
Systems such as RSA Security's SecurID, require some level
of time synchronization between the client machine requesting
access and the server that grants it. If the two aren't within
an allowable time difference, access can be denied.
Log file Analysis, Audit, Monitoring and Forensics
Log files facilitate analysis of events within the network.
This includes firewall, IDS/IPS and VPN security-related activity.
Since the logs are a compilation of information from different
hosts/devices it is crucial that the time stamps are accurate
- if not, events cannot be ordered into the correct chronological
sequence, and root-cause of attacks and security breaches
cannot be correctly determined.
Even in centrally logged configuration events and system error
messages, such as router configuration changes, modem events,
security alerts, trace backs, and CPU process overloads (during
Denial of Service attacks) rely on network time synchronization
for accurate time stamps for the data to have meaning.
In incident investigation, the RMON and other log files are
typically used by security administrators to re-construct
the scene of a network security breach or network crime. Accurately
time-stamped network packet transits provide the forensic
evidence to make this possible.
Network Operations
Network fault diagnosis and recovery
Key network events are trapped, reported, and logged using
the RMON services that reside in servers, routers, and switches.
Should the network crash or become instable (due to any reason,
could be to an information attack), a stream of RMON events
will be reported. Each of the events will be indexed with
the 'network time stamp' affixed by the reporting RMON agent.
If these time stamps are synchronized, the proper order can
be established and root-cause quickly established. Without
accurate network time synchronization this will not be possible.
File Time Stamps
The integrity of any file system is heavily dependent on accurate
time to track the dates and time of file creation, last accesses,
last modified etc. In distributed file sharing, correct file
time stamps would be crucial.
Directory Services
Network directory services systems exchange information
and synchronize changes according to time stamps. Therefore,
network time synchronization is an important part of network
design and implementation. For example, for accurate and optimum
efficiency, in a Windows NT network, all NT servers and client
workstations need to synchronize with a single, accurate,
and standard time source.
Scheduled Operations
Cron scrips and crontabs are commands to a computer operating
system or application server that are to be executed at a
specified time. Each command is executed when its triggering
time arrives.
In case of networked computers - each responsible for executing
independent cron files - time synchronization between the
computers becomes critical so that scheduled activities are
properly coordinated.
Applications
Most computer applications use time stamps as a key
element. Like PSTN depends on precise frequency, VoIP depends
on precise time. Other applications such as shared databases,
billing and transaction systems, data acquisition, email,
PKI etc. rely heavily on accurate time stamps.
|
