Friday, February 2, 2018
Have you taken advantage of the Palo Alto Networks Best Practices Booklet? Released last June, it contains 300+ pages of specific, immediately useful advice for improving security, performance, manageability, and high availability.
We continue to provide our members with resources for useful guidance of the booklet. One such resource is the Fuel Tip of the Week Forum. Let’s take a look at one of the latest tips highlighted in this forum.
Network Time Protocol (NTP)
This is an important tool for network administrators. It allows your network-connected devices to automatically stay synchronized with authoritative clocks in your network or on the Internet.
There are two good reasons to limit the destinations your internal hosts can connect to when using the NTP protocol:
- You don’t want them connecting to a rogue NTP server, which could return false information.
- You don’t want them to be able to launch an amplification DoS attack over the Internet through someone else’s NTP server.
Here is how to implement it:
Step 1: Determine which NTP server you want your internal hosts to connect to:
- If you’re a small organization, it’s fine to use any number of known good public servers.
- If you’re a larger organization, you may wish to configure your own internal NTP server to serve your internal hosts, which then synchronizes itself with an authoritative NTP server on the Internet.
- If you’re a really large organization, or have needs for extremely precise time measurements, connect your NTP server to an outdoor GPS receiver. Because each GPS satellite flies with four atomic clocks on board, GPS signals are accurate to within 40 ns, which is much smaller than the time it would take to transmit the time even to an adjacent device, so it’s literally more accurate than you could possibly need.
Step 2: Go to Policies > Security and create a rule that allows outbound NTP traffic to connect only to specific NTP servers.
Leverage Your Resources
For those who have downloaded the booklet and are looking to make the most of this valuable resource, be sure to check out the Fuel Tip of the Week Forum. Each week, the Fuel education team delivers a new tip for how to best utilize the Fuel Best Practices Booklet.
Resources like the Palo Alto Networks Best Practices Booklet are invaluable to making the most of your cybersecurity investment. And sharing with your colleagues extends the value even further.
Not a Fuel member? Join today.