The Juniper EX switch must be configured to synchronize internal information system clocks using redundant authoritative time sources.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-253920 | JUEX-NM-000430 | SV-253920r1018769_rule | Medium |
| Description |
| The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DOD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: A time server designated for the appropriate DOD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source. |
| STIG | Date |
| Juniper EX Series Switches Network Device Management Security Technical Implementation Guide | 2025-03-07 |
Details
| Check Text (C-57372r997747_chk) |
| Determine if the network device is configured to synchronize internal information system clocks with the primary and secondary time sources. Verify the Network Time Protocol (NTP) configuration. [edit system ntp] authentication-key 1 type sha256 value "PSK"; ## SECRET-DATA authentication-key 2 type sha1 value "PSK"; ## SECRET-DATA server <address 1> key 1 prefer; ## SECRET-DATA server <address 2> key 2; ## SECRET-DATA trusted-key [ 1 2 ]; source-address <lo0 or OOBM address>; If the network device is not configured to synchronize internal information system clocks with the primary and secondary time sources, this is a finding. |
| Fix Text (F-57323r843792_fix) |
| Configure the network device to synchronize internal information system clocks with the primary and secondary time sources. set system ntp authentication-key 1 type sha256 set system ntp authentication-key 1 value "PSK" set system ntp authentication-key 2 type sha1 set system ntp authentication-key 2 value "PSK" set system ntp server <address 1> key 1 set system ntp server <address 1> prefer set system ntp server <address 2> key 2 set system ntp trusted-key 1 set system ntp trusted-key 2 set system ntp source-address <lo0 or OOBM address> |