Security Basics mailing list archives
RE: NTP recommedations
From: "Burton M. Strauss III" <BStrauss () acm org>
Date: Thu, 13 Mar 2003 06:43:34 -0600
Really, all you need to know is on the web pages, http://www.ntp.org. My favs are the cookbook - http://www.umich.edu/~rsug/services/ntp.html (for setting up your internal clients) and the FAQ, http://www.ntp.org/ntpfaq/NTP-a-faq.htm - see section 6.2.1.3. How should I provide NTP services for a huge network? In the abstract - since I've never done it for real for more than a dozen servers/hosts... First off, are you going to run your own Stratum 1 server? It's not cheap to buy the gear, but you could then run it ENTIRELY inside the firewall. If you're really, really worried, then grab a hold of one of the Linux distros that boots from a CD and customize it to be an ntp server and ONLY an ntp server and stick THOSE in the dmz (Those are the 2a, 2b and 2c in the diagram in the FAQ). Configure them with a UPS that allows you to restart the hardware on a schedule and remove the HD (all the dynamic files are in RAM disk). Yes, you lose the drift file, but since this is supposed to be synced to a real time standard, who cares about the PC clock. If somebody roots the box, well, at 0-dark-and-scary, it reboots back to the original configuration. Then you put local (3a...) ntp servers in each site and configure servers & workstations to use those as their standard. If WAN connectivity is a problem, you could peer triplets of the 3s, either locally redundant boxes or close by network (Detroit peers w/ Rochester and Chicago) (Chicago peers with Detroit and Indianapolis) etc. -----Burton -----Original Message----- From: Jennifer Fountain [mailto:JFountain () rbinc com] Sent: Tuesday, March 11, 2003 7:32 PM To: security-basics () securityfocus com Subject: NTP recommedations I am currently looking into configuring my company's time servers. My initial thoughts were setting up two or three in the dmz and configuring them to update their time on a regular basis (haven't defined regular yet) and then install two or three interal time servers that query these servers. I currently have a web server, reverse proxy, ftp (blush embarrassed - going to be getting rid of THIS real soon), email, ids, and two dns servers in the dmz. Someone has recommended to configure three of these servers (web, dns, and email) as a time server. At first, I say - huh - no. That would mean opening up two ports on each box and having a new set of potential problems if i miss anying. But I am not an expert so I head to google searches and you for guidance. Could anyone tell me their configuration or recommend a "good" configuration for company time servers? Thank you Jenn P.S If anyone is at SANS 2003, ping me if you are in track 3 :)
Current thread:
- NTP recommedations Jennifer Fountain (Mar 12)
- RE: NTP recommedations Burton M. Strauss III (Mar 13)
- Re: NTP recommedations Ned Fleming (Mar 13)
- Re: NTP recommedations Darren Van Booven (Mar 18)
- Re: NTP recommedations Bear Giles (Mar 26)
- <Possible follow-ups>
- Re: NTP recommedations Tace (Mar 13)
- RE: NTP recommedations Dan Fiorito (Mar 13)