PCI DSS requirement 2.2.1.a says “describe how system configurations verified that only one primary function per server is implemented.”
A recent client had implemented their NTP master server on the same AWS instance as their incoming jump box (VPN terminator). Did NTP count as a primary function?
Our opinion is yes, NTP should be implemented on a separate server for several reasons.
The 'one function per server control' is motivated by two concerns:
- Hardening. Are you hardening the server to do only A or only B? If you try to harden it to do both A & B, then the combined (more relaxed) hardening standard may introduce unexpected weaknesses.
- Pivoting. If a flaw in one function is exploited, it may allow an attacker to exploit the other function. This is clearly a huge concern in this jump box + NTP scenario.
NTP is a fundamental part of forensic investigations (see our blog “What time is it?”) and is, therefore, a primary function such that a compromise of the jump box could immediately compromise all time stamps.Primary functions in our opinion should certainly include this list:
- Proxy/remote access
- Authentication management
- Role-based access control
- Update/patch management for operating systems and applications
- Anti-virus management, updates, logging, and central status monitoring
- Web servers
- Alerting, log review
Each of these functions needs to be implemented on its own server (or a separate VM in a virtualized environment).
To analyze the specific case of NTP and jump box commingling: the direction of traffic is entirely different. Getting time from one or more trusted sources requires outgoing connections over the internet and no incoming connection. The jump box is receiving connections from the internet and is a foothold into the CDE.
If NTP were implemented on the jump box, all the other components of the CDE and its adjacent systems need access to time and would be connecting into the time server piercing the DMZ. Putting NTP on its own server inside the DMZ is a far more secure implementation.
Bonus Opinion: What constitutes a trusted time source?
Several clients have presented to us using pool.ntp.org as their PCI-compliant source of time. We disagree.
Since anyone can join the pool, it would not take very many malefactors to cause a skew in the notion of time provided by the pool.
A much more authoritative set of sources can be found at NIST and the US Navy.