Security Features - Symmetricom TimeProvider 5000 User Manual

Chapter 1 Overview
Overview

Security Features

The TP5000 was designed to provide a high level of security on the Ethernet ports.
The protocols running on the module run behind an internal firewall on the module.
This allows access to the UDP ports to be limited or completely inaccessible by
other systems.
Each of the service ports only allows NTP, PTP, ICMP, and IGMP. The IMC allows
user-configuration of the firewall, which includes ICMP, FTP, SFTP, SSH, telnet, and
SNMP.
If a service port is configured to run PTP, then it will ignore NTP packets and
vice-versa. If the port is configured for unicast service, then multicast packets are
ignored.
The service ports do not support routing protocols between the ports. This prevents
a malicious attack on Port 1 (network 1) to be used to send a malicious attack via
Port 2 (network 2) or vice-versa. This applies to both on the IOC modules and also
the 16 ports on the TP E10 expansion shelf.
The service ports also include a hardware traffic limiter. If the number of packets per
second exceeds the limit, the module will generate an alarm indicating excessive
traffic is being seen. This could be an indication of a malicious attack or it could also
be a large number of clients requesting service from the server. The system will
drop packets received in excess of the limit. Packets received below the limit will be
handled normally.
If the service ports do come under attack, only the module under attack will be
affected due to the system's architecture. The IMC will continue to provide all
management facilities for the system during this type of attack. To minimize system
resource usage and deter denial of service attacks, the system is configured to
allow a maximum ICMP ping request rate of 1 per second.
Conclusions
The TP5000's architecture isolates functional areas such as user interfaces, the

module-to-module interface, and output signal generation to minimize the
possible corruption of time and frequency outputs.
Only service specific UDP protocols are enabled on the IMC or IOC modules, or

the TP E10 expansion shelves.
From a system security perspective the TP5000 provides the highest level of

security while providing very accurate time and frequency outputs. However, it
also requires that the user implement best-practice security safeguards in their
networks for the most robust levels of security.
32 TimeProvider 5000 User's Guide 098-00028-000 Revision F – May, 2012