Do you know of any DISA IA approved COTS NTP servers ? Didn=92t see any
in the approved products lists at http://iase.disa.mil/common/index.html

Or, have you configured/tested a COTS NTP server to pass STIG tests ?

Thanks,

Fran

STIG: http://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide

On 2010-06-03, Fran <fran.horan@jhuapl.edu> wrote:
> Do you know of any DISA IA approved COTS NTP servers ?

Why not use tick.usno.navy.mil or tock.usno.navy.mil? Only half a
smiley.

In article <9ead1ef5-7000-445b-b7d1-ac1083874c65@q8g2000vbm.googlegroups.com>,
 Fran <fran.horan@jhuapl.edu> wrote:

> Do you know of any DISA IA approved COTS NTP servers ? Didn�t see any
> in the approved products lists at http://iase.disa.mil/common/index.html
> 
> Or, have you configured/tested a COTS NTP server to pass STIG tests ?
> 
> Thanks,
> 
> Fran
> 
> STIG: http://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide

I don't recall that there are any STIGs for NTP timeservers, which are based on 
small dedicated-mode computers running the NTP daemon under some kind of RTOS 
kernel.  

Most timeservers support at least DAC (username and password), but I don't know 
of any that have been evaluated to a protection profile.

Which specific 8500.2 IA Controls (other than those that call out STIGs and 
SRGs) are you responding to?  What is the threat?  

Joe Gwinn

On Jun 3, 4:49=A0pm, Greg Hennessy <greg.henne...@cox.net> wrote:
> On 2010-06-03, Fran <fran.ho...@jhuapl.edu> wrote:
>
> > Do you know of any DISA IA approved COTS NTP servers ?
>
> Why not use tick.usno.navy.mil or tock.usno.navy.mil? Only half a
> smiley.

Thats a funny one Greg, thanks!

On Jun 4, 9:56=A0am, Joseph Gwinn <joegw...@comcast.net> wrote:
> In article <9ead1ef5-7000-445b-b7d1-ac1083874...@q8g2000vbm.googlegroups.=
com>,
>
> =A0Fran <fran.ho...@jhuapl.edu> wrote:
> > Do you know of any DISA IA approved COTS NTP servers ? Didn=B9t see any
> > in the approved products lists athttp://iase.disa.mil/common/index.html
>
> > Or, have you configured/tested a COTS NTP server to pass STIG tests ?
>
> > Thanks,
>
> > Fran
>
> > STIG:http://en.wikipedia.org/wiki/Security_Technical_Implementation_Gui=
de
>
> I don't recall that there are any STIGs for NTP timeservers, which are ba=
sed on
> small dedicated-mode computers running the NTP daemon under some kind of =
RTOS
> kernel. =A0
>
> Most timeservers support at least DAC (username and password), but I don'=
t know
> of any that have been evaluated to a protection profile.
>
> Which specific 8500.2 IA Controls (other than those that call out STIGs a=
nd
> SRGs) are you responding to? =A0What is the threat? =A0
>
> Joe Gwinn

I'll confess I'm a real novice to IA and STIGS Joe. Thanks for your
ideas and questions they will help me figure out where to investigate.
Hopefully will bring something back to this thread after asking around
inside here.

On 2010-06-04, Fran <fran.horan@jhuapl.edu> wrote:
> On Jun 3, 4:49?pm, Greg Hennessy <greg.henne...@cox.net> wrote:
>> > Do you know of any DISA IA approved COTS NTP servers ?
>>
>> Why not use tick.usno.navy.mil or tock.usno.navy.mil? Only half a
>> smiley.
>
> Thats a funny one Greg, thanks!

On the serious side, if you are worried about having to follow DISA
STIGS, then it seems safe to assume you are on NIPR or SIPR nets, in
which case it is probably easier to use the USNO supplied time service
rather than recreating your own. If for redundancy you wish to run
your own NTP servers (which you should point to USNO since USNO is
what all DoD sources are *SUPPOSED* to be using), I'm not aware of any
COTS NTP servers that are DISA IA approved out of the box.

On Jun 4, 3:13=A0pm, Greg Hennessy <greg.henne...@cox.net> wrote:
> On 2010-06-04, Fran <fran.ho...@jhuapl.edu> wrote:
>
> > On Jun 3, 4:49?pm, Greg Hennessy <greg.henne...@cox.net> wrote:
> >> > Do you know of any DISA IA approved COTS NTP servers ?
>
> >> Why not use tick.usno.navy.mil or tock.usno.navy.mil? Only half a
> >> smiley.
>
> > Thats a funny one Greg, thanks!
>
> On the serious side, if you are worried about having to follow DISA
> STIGS, then it seems safe to assume you are on NIPR or SIPR nets, in
> which case it is probably easier to use the USNO supplied time service
> rather than recreating your own. If for redundancy you wish to run
> your own NTP servers (which you should point to USNO since USNO is
> what all DoD sources are *SUPPOSED* to be using), I'm not aware of any
> COTS NTP servers that are DISA IA approved out of the box.

Greg, thanks again for your help.

We are running on a private net inside a lab, no connections outside
of the lab. We'll run the NTP server either with a LOCAL reference
clock driver, IRIG-B, or with GPS.

A short email with Symmetricom said in essence: although there is no
'IA-mode' to put the NTP servers in, the NTP server is already running
a limited amount of services, there are controls to further disable
service and ports. Therefore its seems likely to me the NTP server
could be configured as required.

The devil is in the details however. So I would need to get funded for
time to get smart on the applicable IA requirements, get a suitable
COTS NTP server, configure and test it. Its likely we can get we we
want, but its not going to be a simple button push like the managers
would like to hear it is.

Thanks,

Fran

Fran wrote:
> On Jun 4, 3:13 pm, Greg Hennessy<greg.henne...@cox.net>  wrote:
>> On 2010-06-04, Fran<fran.ho...@jhuapl.edu>  wrote:
>>
>>> On Jun 3, 4:49?pm, Greg Hennessy<greg.henne...@cox.net>  wrote:
>>>>> Do you know of any DISA IA approved COTS NTP servers ?
>>
>>>> Why not use tick.usno.navy.mil or tock.usno.navy.mil? Only half a
>>>> smiley.
>>
>>> Thats a funny one Greg, thanks!
>>
>> On the serious side, if you are worried about having to follow DISA
>> STIGS, then it seems safe to assume you are on NIPR or SIPR nets, in
>> which case it is probably easier to use the USNO supplied time service
>> rather than recreating your own. If for redundancy you wish to run
>> your own NTP servers (which you should point to USNO since USNO is
>> what all DoD sources are *SUPPOSED* to be using), I'm not aware of any
>> COTS NTP servers that are DISA IA approved out of the box.
>
> Greg, thanks again for your help.
>
> We are running on a private net inside a lab, no connections outside
> of the lab. We'll run the NTP server either with a LOCAL reference
> clock driver, IRIG-B, or with GPS.
>
> A short email with Symmetricom said in essence: although there is no
> 'IA-mode' to put the NTP servers in, the NTP server is already running
> a limited amount of services, there are controls to further disable
> service and ports. Therefore its seems likely to me the NTP server
> could be configured as required.
>
> The devil is in the details however. So I would need to get funded for
> time to get smart on the applicable IA requirements, get a suitable
> COTS NTP server, configure and test it. Its likely we can get we we
> want, but its not going to be a simple button push like the managers
> would like to hear it is.

The easiest as well as cheapest might be to take the default FreeBSD + 
Garmin GPS18 route: Total cost about $100 plus a few hours to 
build/configure it.

The FreeBSD box don't need any open ports at all except 123 (the NTP 
port), and you don't need any services either, so it can easily be 
locked down.

(You can consider making an exception for ssh if you must have remote 
management...)

Terje

-- 
- <Terje.Mathisen at tmsw.no>
"almost all programming can be viewed as an exercise in caching"

Terje Mathisen <"terje.mathisen at tmsw.no"> wrote:
> The easiest as well as cheapest might be to take the default FreeBSD
> + Garmin GPS18 route: Total cost about $100 plus a few hours to
> build/configure it.

> The FreeBSD box don't need any open ports at all except 123 (the NTP 
> port), and you don't need any services either, so it can easily be 
> locked down.

> (You can consider making an exception for ssh if you must have remote 
> management...)

Easiest...  while it is certainly possible that procurement rules have
changed since I was a summer intern at NRL '84-87 I suspect that
"build your own" may not actually be easiest in the context of
U.S. Government procurement and certification procedures :)

rick jones
-- 
oxymoron n, commuter in a gas-guzzling luxury SUV with an American flag
these opinions are mine, all mine; HP might not want them anyway... :)
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Rick Jones wrote:
> Terje Mathisen<"terje.mathisen at tmsw.no">  wrote:
>> The easiest as well as cheapest might be to take the default FreeBSD
>> + Garmin GPS18 route: Total cost about $100 plus a few hours to
>> build/configure it.
>
>> The FreeBSD box don't need any open ports at all except 123 (the NTP
>> port), and you don't need any services either, so it can easily be
>> locked down.
>
>> (You can consider making an exception for ssh if you must have remote
>> management...)
>
> Easiest...  while it is certainly possible that procurement rules have
> changed since I was a summer intern at NRL '84-87 I suspect that
> "build your own" may not actually be easiest in the context of
> U.S. Government procurement and certification procedures :)

I did realize that, then considered the fact that the FreeBSD version is 
pretty much the canonical ntpd target:

Running everything directly on the protocol's recommended platform, and 
with source code for everything, would make it very easy to document 
that the server is on spec.

OTOH, I have crashed head-on into some bureaucracies in my time, and it 
hasn't always been possible to make them see the light. :-(

Terje
-- 
- <Terje.Mathisen at tmsw.no>
"almost all programming can be viewed as an exercise in caching"

Terje Mathisen <"terje.mathisen at tmsw.no"> wrote:
> Running everything directly on the protocol's recommended platform, and 
> with source code for everything, would make it very easy to document 
> that the server is on spec.

I wonder if they would consider the presence of source code (and the
implied possibility of hand-checking all of it to make sure it is secure)
would be sufficient.  It would probably fit in some bureaucratic
ruleset, but we all know that security issues *are* found in open source
products.  Even with only port 123 open, there could always be some
as of yet unknown security issue in ntpd.  It would certainly not be
very easy to prove, using the source code, that there is none.

On Jun 8, 4:07=A0am, Rob <nom...@example.com> wrote:
> Terje Mathisen <"terje.mathisen at tmsw.no"> wrote:
>
> > Running everything directly on the protocol's recommended platform, and
> > with source code for everything, would make it very easy to document
> > that the server is on spec.
>
> I wonder if they would consider the presence of source code (and the
> implied possibility of hand-checking all of it to make sure it is secure)
> would be sufficient. =A0It would probably fit in some bureaucratic
> ruleset, but we all know that security issues *are* found in open source
> products. =A0Even with only port 123 open, there could always be some
> as of yet unknown security issue in ntpd. =A0It would certainly not be
> very easy to prove, using the source code, that there is none.

You  can find some good guidance if you google 'DoD open source'. I
believe the presence of available source code helps a lot in allowing
its use.

For our application and business environment, I would like to try very
hard to find a commercial product. But a homebrew system would be a
fallback.

Thanks everybody for you ideas,

Fran

Fran writes:
> For our application and business environment, I would like to try very
> hard to find a commercial product. But a homebrew system would be a
> fallback.

"Open Source" and "commercial" are not mutually exclusive nor does "Free
Software" necessarily imply "homebrew".

-- 
John Hasler 
jhasler@newsguy.com
Dancing Horse Hill
Elmwood, WI USA

On 2010-06-08, Rob <nomail@example.com> wrote:
> Terje Mathisen <"terje.mathisen at tmsw.no"> wrote:
>> Running everything directly on the protocol's recommended platform, and 
>> with source code for everything, would make it very easy to document 
>> that the server is on spec.
>
> I wonder if they would consider the presence of source code (and the
> implied possibility of hand-checking all of it to make sure it is secure)
> would be sufficient.  It would probably fit in some bureaucratic
> ruleset, but we all know that security issues *are* found in open source
> products.  Even with only port 123 open, there could always be some
> as of yet unknown security issue in ntpd.  It would certainly not be
> very easy to prove, using the source code, that there is none.

That depends on what use is made of port 123. If it is simple enough
then proving security  at least of the handling of net input should not be hard. 
To prove that ntpd exactly follows spec for all its operation would be
hard. 

In article <62b84ad9-7d4c-4074-960e-aae4ef826f2c@u7g2000yqm.googlegroups.com>,
 Fran <fran.horan@jhuapl.edu> wrote:

> On Jun 4, 3:13�pm, Greg Hennessy <greg.henne...@cox.net> wrote:
> > On 2010-06-04, Fran <fran.ho...@jhuapl.edu> wrote:
> >
> > > On Jun 3, 4:49?pm, Greg Hennessy <greg.henne...@cox.net> wrote:
> > >> > Do you know of any DISA IA approved COTS NTP servers ?
> >
> > >> Why not use tick.usno.navy.mil or tock.usno.navy.mil? Only half a
> > >> smiley.
> >
> > > Thats a funny one Greg, thanks!
> >
> > On the serious side, if you are worried about having to follow DISA
> > STIGS, then it seems safe to assume you are on NIPR or SIPR nets, in
> > which case it is probably easier to use the USNO supplied time service
> > rather than recreating your own. If for redundancy you wish to run
> > your own NTP servers (which you should point to USNO since USNO is
> > what all DoD sources are *SUPPOSED* to be using), I'm not aware of any
> > COTS NTP servers that are DISA IA approved out of the box.
> 
> Greg, thanks again for your help.
> 
> We are running on a private net inside a lab, no connections outside
> of the lab. We'll run the NTP server either with a LOCAL reference
> clock driver, IRIG-B, or with GPS.

GPS would be the simplest solution, and there are many classified networks with 
GPS timeservers, so there is ample precedent.  For IA, the key is that a GPS 
receiver does not connect in any way to the internet, so there is no way for 
someone to hack in via the GPS receiver.  The fact that GPS is a DoD system 
doesn't hurt either.


> A short email with Symmetricom said in essence: although there is no
> 'IA-mode' to put the NTP servers in, the NTP server is already running
> a limited amount of services, there are controls to further disable
> service and ports. Therefore its seems likely to me the NTP server
> could be configured as required.
> 
> The devil is in the details however. So I would need to get funded for
> time to get smart on the applicable IA requirements, get a suitable
> COTS NTP server, configure and test it. Its likely we can get we we
> want, but its not going to be a simple button push like the managers
> would like to hear it is.

Lots of things on networks lack anything resembling "IA mode" (whatever that 
is), and yet life goes on.

Joe Gwinn