Security Basics mailing list archives
RE: Help in NTP server
From: "Burton M. Strauss III" <Burton () FelisCatus org>
Date: Tue, 9 Nov 2004 08:24:53 -0600
Interesting paper, but it doesn't say Boo about WHERE to place the ntp servers and is very Cisco ish. Still the basic drawings are useful! Although I don't know of any attacks on ntp, it is a critical service once you get things like Kerberos running, not to mention the usual reasons you want to sync time. If time is truly critical to you and this is a large LAN, then you probably want to look at buying your own GPS driven Stratum 1 server. Or you can look at BUILDING a S1 using cheap hardware - see, for example http://blizzard.rwic.und.edu/~nordlie/ntp-gps/. Regardless of platform, your S1 server should go inside the LAN. But more typically you are going to be syncing with a set of public Stratum 2 servers (or maybe Stratum 1, depending upon the size of your LAN). If you don't want to punch NTP through your inbound-LAN firewall, then I would suggest you put time servers in BOTH places: In the DMZ, sync two DMZ ntp servers with each other and the S2 masters. In the LAN, Sync two (or more) LAN ntp servers with each other, the DMZ servers and the S2 masters. One little trick: Make sure you have more S2 masters in your ntp.conf file than you have DMZ servers. That way, if somebody hacks your DMZ servers they'll be seen as outliers and so LAN time will remain in sync with the rest of the world. (From RFC 1935: "In the case of multiple primary servers, the spanning-tree computation will usually select the server at minimum synchronization distance. However, when these servers are at approximately the same distance, the computation may result in random selections among them as the result of normal dispersive delays. Ordinarily, this does not degrade accuracy as long as any discrepancy between the primary servers is small compared to the synchronization distance. If not, the filter and selection algorithms will select the best of the available servers and cast out outlyers as intended." ) -----Burton
-----Original Message----- From: Mark Lewis [mailto:mark () mjlnet com] Sent: Sunday, November 07, 2004 11:17 AM To: Sam Koh Cc: sec-basic list; Sec.Focus FW Subject: RE: Help in NTP server Here's a pretty good white paper from Cisco: http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_pap er09186a00 80117070.shtml Hope that helps, Mark Author: http://www.amazon.com/exec/obidos/ASIN/1587051044/-----Original Message----- From: Sam Koh [mailto:kohgimleng () yahoo com] Sent: 05 November 2004 03:17 To: firewalls () securityfocus com Subject: Help in NTP server Hi list, Anyone knows where can I find writeups on the NTP server design. I am trying to find out what is the best practicies regarding the deployment of NTP server - should it be in DMZ, should it be internal network and why should it be in DMZ or internal network. Thanks in advance Gim Leng __________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com
Current thread:
- RE: Help in NTP server Mark Lewis (Nov 08)
- CA eTrust AV Photodemo (Nov 08)
- Re: CA eTrust AV Dan Tesch (Nov 08)
- Re: CA eTrust AV Zoran Perkov (Nov 09)
- Re: CA eTrust AV Trey Stevens (Nov 09)
- Re: CA eTrust AV Dan Tesch (Nov 08)
- RE: Help in NTP server Burton M. Strauss III (Nov 09)
- RE: Help in NTP server Mark Lewis (Nov 09)
- RE: Help in NTP server Mark Lewis (Nov 09)
- <Possible follow-ups>
- RE: Help in NTP server Christopher Adickes (Nov 10)
- Re: Help in NTP server Kevin (Nov 15)
- CA eTrust AV Photodemo (Nov 08)