Firewall Wizards mailing list archives
Re: NTp config - for the databases :}
From: Bret Watson <lists () bwa net>
Date: Fri, 13 Mar 1998 10:26:09
(..)NTP is a udp protocol so prediction is not a problem, you just have to wait for the outgoing request and reply on that request. As this particular site has a single cable going out - its not hard to capture the total traffic.(..) There's your single point of failure. If I manage to block all ntp data going *to* your site I can get complete control over the networks notion of time by spoofing only **one** of your 18 reference servers. NTP will happily follow this one phoney server, as long as it believes the other 17 are dead. I don't even have to be careful with time changes. Now that the phoney server is the only reference, NTP will follow it all the way.
That catch is that the stratum2s are also peering to each other, so unless your spoofed reference is more stable than the combined clock of the three they will ignore it.
Add a couple of radio receivers to the lot (radio-to-ntp boxes are available for reasonable prices) which gives you in-house stratum-1 servers to complement the internet servers.
Certainly. If you have the budget. This is much much better than an external ref. Probably the easiest for most of the world (radio/Omega/LORAN is not always very available in some parts - like here) is to plonk a trimble GPS in and link the PPS line to the serial port - then use the PPS driver for xntpd. If you've been told to implement it, but not given the money for it - then the next best thing IMHO is what I described. Cheers, Bret Technical Incursion Countermeasures consulting () bwa net http://www.ticm.com/ ph: (+61)(08) 9454 2487(UTC+8 hrs) fax: (+61)(08) 9454 6042 The Insider - a e'zine on Computer security http://www.ticm.com/about/insider.html
Current thread:
- RE: DNS -vs- the firewall: security thoughts Joe Ippolito - President SVNPA (Mar 11)
- NTp config - for the databases :} Bret Watson (Mar 12)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 12)
- Re: NTp config - for the databases :} Bret Watson (Mar 12)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 13)
- Re: NTp config - for the databases :} Bret Watson (Mar 13)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 12)
- Re: NTp config - for the databases :} Joseph S. D. Yao (Mar 13)
- Re: NTp config - for the databases :} John Painter (Mar 14)
- NTp config - for the databases :} Bret Watson (Mar 12)
- Firewall Audit Programme/checklist Bret Watson (Mar 16)
- Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 16)
- Re: Firewall Audit Programme/checklist Chad Schieken (Mar 16)
- Re: Firewall Audit Programme/checklist Bret Watson (Mar 17)
- Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 17)
- Re: Firewall Audit Programme/checklist blast (Mar 17)