PCI DSS requirement 2.2.1.a says “describe how system configurations verified that only one primary function per server is implemented.”
A recent client had implemented their NTP master server on the same AWS instance as their incoming jump box (VPN terminator). Did NTP count as a primary function?
Our opinion is yes, NTP should be implemented on a separate server for several reasons.
The 'one function per server control' is motivated by two concerns:
NTP is a fundamental part of forensic investigations (see our blog “What time is it?”) and is, therefore, a primary function such that a compromise of the jump box could immediately compromise all time stamps.
Primary functions in our opinion should certainly include this list:Each of these functions needs to be implemented on its own server (or a separate VM in a virtualized environment).
To analyze the specific case of NTP and jump box commingling: the direction of traffic is entirely different. Getting time from one or more trusted sources requires outgoing connections over the internet and no incoming connection. The jump box is receiving connections from the internet and is a foothold into the CDE.
If NTP were implemented on the jump box, all the other components of the CDE and its adjacent systems need access to time and would be connecting into the time server piercing the DMZ. Putting NTP on its own server inside the DMZ is a far more secure implementation.
Several clients have presented to us using pool.ntp.org as their PCI-compliant source of time. We disagree.
Since anyone can join the pool, it would not take very many malefactors to cause a skew in the notion of time provided by the pool.
A much more authoritative set of sources can be found at NIST and the US Navy.