Use the Autokey Configuration tab on the NTP Configuration page for the Network IPS appliance to configure the appliance to use the necessary algorithms, passwords, and encryption schemes to authenticate with NTP servers that use autokey authentication.
Navigating in the Network IPS Local Management Interface:
Navigating in the SiteProtector™ system: select the NTP Configuration policy
Autokey: If both the server and the client are located outside of the firewall, they can use autokey authentication. Autokey authentication uses certificate-based key exchanges that are also known as "challenge/response" exchanges. This method of authentication is best used to authenticate servers to clients. For example, this method works well if a central server outside the firewall authenticates to several lower strata servers that are also outside the firewall. These lower strata servers use internal hardware pieces (NICs) to provide NTP access to clients inside the firewall. This option is available for only NTP version 4.
The appliance uses the configurations on this tab for all NTP servers that use the autokey exchanges.
Setting | FIPS-compliant option |
---|---|
Message Digest Algorithm | SHA-1 |
Encryption Scheme | DSA-SHA-1, RSA-SHA256, RSA-SHA384, RSA-SHA512 |
Enable identity scheme | Clear the Enable identity scheme check box. |
Setting | NIST-compliant option |
---|---|
Message Digest Algorithm | SHA-1 |
Encryption Scheme | DSA-SHA-1, RSA-SHA256, RSA-SHA384, RSA-SHA512 |
Enable identity scheme | Clear the Enable identity scheme check box. |