G.1.3 NTP Security Considerations (Informative)

The Basic Time Synchronization profile should not be used outside a secured environment. At a minimum there should be:

  1. Firewall and or router protections to ensure that only approved hosts are used for NTP services.

  2. Agreements for VPN and other access should require that use only approved NTP servers over the VPN.

This limits the risks to insider denial of service attacks. The service denial is manipulation of the time synchronization such that systems report the incorrect time. The NTP protocols incorporate secure transaction capabilities that can be negotiated. This profile assumes that the above protections are sufficient and does not require support of secure transactions, but they may be supported by an implementation. The SNTP client does not support the use of secured transactions.

Sites with particular concerns regarding security of external network time sources may choose to utilize a GPS or radio based time synchronization. Note that when selecting GPS and radio time sources, care must be taken to establish the accuracy and stability provided by the particular time source. The underlying time accuracy of GPS and radio sources is superb, but some receivers are intended for low accuracy uses and do not provide an accurate or stable result.