Re: Help in NTP server

[Kevin <kkadow () gmail com>]

On Wed, 10 Nov 2004 08:28:30 -0500, Christopher Adickes
<christopher_adickes () shi com> wrote:
> I also have a question about NTP.  This one may seem simple to some.  I'm
> setting up a network security device and it needs a key and key ID for it to
> use NTP.  I know what they are, but I do not know how to find servers that
> need authentication and if I did I do not know how to obtain the key and key ID.

I am not aware of any public servers which do authenticated NTP.

Your message implies that your "network security device" will only
accept with the key and ID configured, will not accept unauthenticated
NTP?

> In this situation do I need to create my own time server and use keys for
> authentication?  If this is the case does anyone know if Linux (Fedora) can
> do this?

Any Unix should be able to run the "NTP reference implementation" open
source NTP client/server from http://ntp.isc.org/

> > Although I don't know of any attacks on ntp, it is a critical service once
> > you get things like Kerberos running, not to mention the usual reasons
> > you want to sync time.

There have historically been a number of attacks against NTP client
libraries, on both Unix and also on Cisco gear.


> > If time is truly critical to you and this is a large LAN, then
> > you probably
> > want to look at buying your own GPS driven Stratum 1 server. 

I strongly recommend that in any corporate environment where accurate
time is critical, the purchase and deployment of one or several NTP
server appliances.

> Or you can
> > look at BUILDING a S1 using cheap hardware - see, for example
> > http://blizzard.rwic.und.edu/~nordlie/ntp-gps/.
> >
> > Regardless of platform, your S1 server should go inside the LAN.
> >
> > But more typically you are going to be syncing with a set of
> > public Stratum
> > 2 servers (or maybe Stratum 1, depending upon the size of your LAN).
> >
> > If you don't want to punch NTP through your inbound-LAN firewall, then I
> > would suggest you put time servers in BOTH places:
> >
> > In the DMZ, sync two DMZ ntp servers with each other and the S2 masters.
> >
> > In the LAN, Sync two (or more) LAN ntp servers with each other, the DMZ
> > servers and the S2 masters.
> >
> > One little trick:  Make sure you have more S2 masters in your
> > ntp.conf file
> > than you have DMZ servers.  That way, if somebody hacks your DMZ servers
> > they'll be seen as outliers and so LAN time will remain in sync with the
> > rest of the world.

My preference is to deploy multiple GPS-derived Stratum-1 servers
inside the enterprise, and distribute the time out from more trusted
to less trusted.