RE: Help in NTP server

["Burton M. Strauss III" <Burton () FelisCatus org>]

Interesting paper, but it doesn't say Boo about WHERE to place the ntp
servers and is very Cisco ish.  Still the basic drawings are useful!

Although I don't know of any attacks on ntp, it is a critical service once
you get things like Kerberos running, not to mention the usual reasons you
want to sync time.

If time is truly critical to you and this is a large LAN, then you probably
want to look at buying your own GPS driven Stratum 1 server.  Or you can
look at BUILDING a S1 using cheap hardware - see, for example
http://blizzard.rwic.und.edu/~nordlie/ntp-gps/.

Regardless of platform, your S1 server should go inside the LAN.

But more typically you are going to be syncing with a set of public Stratum
2 servers (or maybe Stratum 1, depending upon the size of your LAN).

If you don't want to punch NTP through your inbound-LAN firewall, then I
would suggest you put time servers in BOTH places:

In the DMZ, sync two DMZ ntp servers with each other and the S2 masters.

In the LAN, Sync two (or more) LAN ntp servers with each other, the DMZ
servers and the S2 masters.

One little trick:  Make sure you have more S2 masters in your ntp.conf file
than you have DMZ servers.  That way, if somebody hacks your DMZ servers
they'll be seen as outliers and so LAN time will remain in sync with the
rest of the world.

(From RFC 1935:

"In the case of multiple primary servers, the spanning-tree computation
will usually select the server at minimum synchronization distance.
However, when these servers are at approximately the same distance, the
computation may result in random selections among them as the result of
normal dispersive delays. Ordinarily, this does not degrade accuracy as
long as any discrepancy between the primary servers is small compared to
the synchronization distance. If not, the filter and selection
algorithms will select the best of the available servers and cast out
outlyers as intended."

)

-----Burton



> -----Original Message-----
> From: Mark Lewis [mailto:mark () mjlnet com]
> Sent: Sunday, November 07, 2004 11:17 AM
> To: Sam Koh
> Cc: sec-basic list; Sec.Focus FW
> Subject: RE: Help in NTP server
>
>
> Here's a pretty good white paper from Cisco:
>
> http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_pap
> er09186a00
> 80117070.shtml
>
>
> Hope that helps,
>
> Mark
>
> Author: http://www.amazon.com/exec/obidos/ASIN/1587051044/
>
>
>
>
> > -----Original Message-----
> > From: Sam Koh [mailto:kohgimleng () yahoo com]
> > Sent: 05 November 2004 03:17
> > To: firewalls () securityfocus com
> > Subject: Help in NTP server
> >
> >
> > Hi list,
> >
> > Anyone knows where can I find writeups on the NTP
> > server design. I am trying to find out what is the
> > best practicies regarding the deployment of NTP server
> > - should it be in DMZ, should it be internal network
> > and why should it be in DMZ or internal network.
> >
> > Thanks in advance
> > Gim Leng
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Check out the new Yahoo! Front Page.
> > www.yahoo.com