Secure NTP Proxy

The Network Time Protocol (NTP) is an older, but still very useful, Internet protocol designed to allow network devices and servers to synchronize their clocks with one or more centralized time servers, across a variable-latency network. In applications where time synchronization across devices is important, the ability to administer time across a large number of devices from a small number of centralized time servers using NTP is a significant advantage.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for NTP, requiring network administrators to choose between two equally unacceptable alternatives: prevent NTP traffic from passing through the firewall, effectively isolating the devices beyond from the primary time servers, or allow NTP traffic to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for NTP traffic, enabling network devices and servers to effectively reach back through the firewalls to the centralized time servers, while mitigating the associated security risks through careful inspection and filtering of all NTP traffic.

ZoneRanger’s NTP proxy service can be configured to operate in either of two modes:

  • The ZoneRanger can obtain its time from a centralized NTP server, and can act as a secondary time server, responding autonomously to NTP requests from client devices.
  • The ZoneRanger can act as straight NTP protocol proxy, inspecting NTP requests received from client devices, relaying valid requests onto a centralized timer server, and relaying server responses back to the requesting clients.
NTP is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • ICMP
  • NetFlow / sFlow
  • SNMP
  • Syslog
  • Telnet / SSH
  • TFTP