WESM zl Management and Configuration Guide WT.01.28 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

241

242

243

244

245

246

247

248

249

250

2-141

Configuring the ProCurve Wireless Edge Services zl Module

Enabling Secure Network Time Protocol (NTP)

Several organizations on the Internet offer NTP servers at stratums 1 through 3. Some

require you to purchase the service, and others grant it for free. You can configure

your Wireless Edge Services zl Module to communicate with one of these servers

and then, acting as a server, pass the time on to clients in your network.

When you configure your Wireless Edge Services zl Module to act as the master

clock, it uses its internal clock to set the time. In this case, you must set this clock’s

stratum. (See “Configuring Secure NTP Options” on page 2-143.)

Secure NTP Enhancements

Knowing the correct time is not only crucial for proper network functioning but also

for security. Most security protocols involve timestamps to prevent replay attacks. If

an attacker can tamper with your network’s NTP implementation, then he or she may

be able to circumvent protections built into otherwise secure protocols. Secure NTP

provides several mechanisms for ensuring that devices receive the time from trusted

sources:

■ Access Control Lists (ACLs)—You can apply ACLs to control the sources from

which the Wireless Edge Services zl Module accepts particular types of NTP

messages.

■ Authentication—If you configure the module to require authentication, it

accepts the time only from neighbors that prove they are legitimate. Neighbors

authenticate their messages by adding a message authentication code that is

generated using an encryption key. In addition to requiring authentication, the

module can authenticate to other NTP hosts.

Encryption for authentication comes in two varieties:

• With symmetric keys—You manually set the same key on the module and

its neighbor or client. Each message exchanged includes a message authen-

tication code that is generated using this key.

• With autokey—The Wireless Edge Services zl Module and the neighbor

or client use the public key infrastructure (PKI) algorithm to automatically

generate encryption keys.

The client sends the public key associated with its digital certificate to the

secure NTP server. The server uses a fast algorithm and a private value to

create a cookie, which it encrypts with the client’s public key and returns to

the client. Both the client and the server then use the cookie to generate a

list of keys for creating message authentication codes.

By encrypting the cookie with the client’s public key, the server ensures that

only the client can use the cookie. The client, for its part, must initially trust

the server. After this initial trust, the client knows that the same server is

sending the time because only that server has the cookie that generates the

correct keys.