RE: NTP recommedations

["Dan Fiorito" <danf () voyantinc com>]

Why not just set it up on your existing server or servers and only let the traffic on port 123 out!  do not let any 
connection inbound to this server on any other port than is needed. People will not query your server from outside so 
deny it.  Allow Lan to query port 123 to dmz in firewall so clients on the inside can get correct time. 

        -----Original Message----- 
        From: Jennifer Fountain [mailto:JFountain () rbinc com] 
        Sent: Tue 3/11/2003 8:32 PM 
        To: security-basics () securityfocus com 
        Cc: 
        Subject: NTP recommedations 
        
        

        I am currently looking into configuring my company's time servers.  My initial thoughts were setting up two or 
three in the dmz and configuring them to update their time on a regular basis (haven't defined regular yet) and then 
install two or three interal time servers that query these servers.  I currently have a web server, reverse proxy, ftp 
(blush embarrassed - going to be getting rid of THIS real soon), email, ids, and two dns servers in the dmz.  Someone 
has recommended to configure three of these servers (web, dns, and email) as a time server.  At first, I say - huh - 
no.  That would mean opening up two ports on each box and having a new set of potential problems if i miss anying.  But 
I am not an expert so I head to google searches and you for guidance.  Could anyone tell me their configuration or 
recommend a "good" configuration for company time servers? 
        
        Thank you
        Jenn
        
        P.S  If anyone is at SANS 2003, ping me if you are in track 3 :)