Security Basics mailing list archives
Re: Help in NTP server
From: Kevin <kkadow () gmail com>
Date: Sat, 13 Nov 2004 01:07:07 -0600
On Wed, 10 Nov 2004 08:28:30 -0500, Christopher Adickes <christopher_adickes () shi com> wrote:
I also have a question about NTP. This one may seem simple to some. I'm setting up a network security device and it needs a key and key ID for it to use NTP. I know what they are, but I do not know how to find servers that need authentication and if I did I do not know how to obtain the key and key ID.
I am not aware of any public servers which do authenticated NTP. Your message implies that your "network security device" will only accept with the key and ID configured, will not accept unauthenticated NTP?
In this situation do I need to create my own time server and use keys for authentication? If this is the case does anyone know if Linux (Fedora) can do this?
Any Unix should be able to run the "NTP reference implementation" open source NTP client/server from http://ntp.isc.org/
Although I don't know of any attacks on ntp, it is a critical service once you get things like Kerberos running, not to mention the usual reasons you want to sync time.
There have historically been a number of attacks against NTP client libraries, on both Unix and also on Cisco gear.
If time is truly critical to you and this is a large LAN, then you probably want to look at buying your own GPS driven Stratum 1 server.
I strongly recommend that in any corporate environment where accurate time is critical, the purchase and deployment of one or several NTP server appliances.
Or you canlook at BUILDING a S1 using cheap hardware - see, for example http://blizzard.rwic.und.edu/~nordlie/ntp-gps/. Regardless of platform, your S1 server should go inside the LAN. But more typically you are going to be syncing with a set of public Stratum 2 servers (or maybe Stratum 1, depending upon the size of your LAN). If you don't want to punch NTP through your inbound-LAN firewall, then I would suggest you put time servers in BOTH places: In the DMZ, sync two DMZ ntp servers with each other and the S2 masters. In the LAN, Sync two (or more) LAN ntp servers with each other, the DMZ servers and the S2 masters. One little trick: Make sure you have more S2 masters in your ntp.conf file than you have DMZ servers. That way, if somebody hacks your DMZ servers they'll be seen as outliers and so LAN time will remain in sync with the rest of the world.
My preference is to deploy multiple GPS-derived Stratum-1 servers inside the enterprise, and distribute the time out from more trusted to less trusted.
Current thread:
- RE: Help in NTP server Mark Lewis (Nov 08)
- CA eTrust AV Photodemo (Nov 08)
- Re: CA eTrust AV Dan Tesch (Nov 08)
- Re: CA eTrust AV Zoran Perkov (Nov 09)
- Re: CA eTrust AV Trey Stevens (Nov 09)
- Re: CA eTrust AV Dan Tesch (Nov 08)
- RE: Help in NTP server Burton M. Strauss III (Nov 09)
- RE: Help in NTP server Mark Lewis (Nov 09)
- RE: Help in NTP server Mark Lewis (Nov 09)
- <Possible follow-ups>
- RE: Help in NTP server Christopher Adickes (Nov 10)
- Re: Help in NTP server Kevin (Nov 15)
- CA eTrust AV Photodemo (Nov 08)