Black Box ET0010A User Manual
Network Clock Synchronization
EncrypTight User Guide
33
Network Clock Synchronization
CAUTION
Failure to synchronize the time of all EncrypTight
components can result in a loss of packets or
compromised security.
EncrypTight requires that the clocks on all the system’s components be synchronized. If the clocks are
not synchronized, communications between the components can be delayed, which can prevent the
system from working as planned.
not synchronized, communications between the components can be delayed, which can prevent the
system from working as planned.
For example, the keys on the PEPs all have an expiration time. The ETKMSs must generate new keys
and policies prior to that expiration time in order to prevent a lapse in security or loss of network data. In
addition, PEPs that implement the same policy require matching sets of keys for communications to
occur. If one PEP’s keys expire before another PEP’s keys or if one PEP’s keys become active before
another PEP’s keys, packets can be improperly dropped or passed in the clear.
and policies prior to that expiration time in order to prevent a lapse in security or loss of network data. In
addition, PEPs that implement the same policy require matching sets of keys for communications to
occur. If one PEP’s keys expire before another PEP’s keys or if one PEP’s keys become active before
another PEP’s keys, packets can be improperly dropped or passed in the clear.
It is essential that ETPM, ETKMS, and PEPs are synchronized to the same time source.
●
Configure the workstation running EncrypTight to synchronize with a corporate time server within
your network or with a public time server located somewhere on the Internet, or install a time service
on the management station.
your network or with a public time server located somewhere on the Internet, or install a time service
on the management station.
●
External ETKMSs run on Linux servers that have Network Time Protocol (NTP) installed. Each of
these ETKMSs can operate as an NTP server or an NTP client, or both. You can configure each
ETKMS to synchronize with a timer server, or you can configure the ETPM, ETKMSs and PEPs to
synchronize with one of the ETKMS servers.
these ETKMSs can operate as an NTP server or an NTP client, or both. You can configure each
ETKMS to synchronize with a timer server, or you can configure the ETPM, ETKMSs and PEPs to
synchronize with one of the ETKMS servers.
●
The PEPs include a Simple Network Time Protocol (SNTP) client, which can connect to an NTP
server. The PEP SNTP client supports unicast client mode, in which the client sends a request to the
designated NTP server and waits for a reply from the server.
server. The PEP SNTP client supports unicast client mode, in which the client sends a request to the
designated NTP server and waits for a reply from the server.
You can check the current time of your PEPs in the ETEMS Appliance Manager. Refresh the status of the
appliances and then view the Date/Time column (you may need to resize the columns).
appliances and then view the Date/Time column (you may need to resize the columns).
NOTE
●
After you enable SNTP on ETEP PEPs and push the configuration, the ETEP PEPs immediately
synchronize with the NTP server.
synchronize with the NTP server.
●
If you re-provision a PEP that has been out of service, it is recommended that you synchronize the
appliance with an NTP server and reboot it before you attempt to use the PEP with either ETEMS or
ETPM. For more information on using SNTP, see the configuration chapter for your PEP.
appliance with an NTP server and reboot it before you attempt to use the PEP with either ETEMS or
ETPM. For more information on using SNTP, see the configuration chapter for your PEP.
IPv6 Address Support
EncrypTight supports using both IPv4 and IPv6 addresses for the ETKMS and the management port of
the ETEPs, as well as on the management workstation. The IPv6 standard was developed to provide a
larger address space than the IPv4 standard and is intended to replace it as the IP addresses that are
available with the older standard are exhausted. IPv6 addressing also provides other benefits, such as
more efficient routing.
the ETEPs, as well as on the management workstation. The IPv6 standard was developed to provide a
larger address space than the IPv4 standard and is intended to replace it as the IP addresses that are
available with the older standard are exhausted. IPv6 addressing also provides other benefits, such as
more efficient routing.