Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: NTP recommendations

From: "Zill, Greg" <Greg.Zill () owh com>
Date: Mon, 17 Mar 2003 14:13:16 -0600
I run Raptor (Symantec SEF) which provides for NTP proxy.
Its wizard obtained three time sources based on geography.
The time is then served to root DC and to the chokepoint router serving the DMZ and frame and routing to the LAN.
I then setup peer ntp on the chokepoint router to enable it to serve ntp to anyone requesting time.
Seemed kind of a natural: "How do I get to X and, oh by the way, what time have you got?"
I only have the one hole in the firewall for the three destinations and DC active directory serves all clients, while 
the DMZ Router serves the rest.

-----Original Message-----
From: Dean Scott [mailto:ScottD () FamilyMeds com]
Sent: Thursday, March 13, 2003 3:21 PM
To: security-basics () securityfocus com
Subject: RE: NTP recommendations 


I use a computer on the DMZ linked to a stratum 2 source on the internet.
We use tcp so that the out going request establishes a session on the
firewall.  This is the only function on this computer and it broadcasts
within the DMZ, only this IP is let through the open port on the firewall
and then only to another NTP server inside the corporate network.

-----Original Message-----
From: Jennifer Fountain [mailto:JFountain () rbinc com]
Sent: Tuesday, March 11, 2003 8:32 PM
To: security-basics () securityfocus com
Subject: NTP recommedations 


I am currently looking into configuring my company's time servers.  My
initial thoughts were setting up two or three in the dmz and configuring
them to update their time on a regular basis (haven't defined regular yet)
and then install two or three interal time servers that query these servers.
I currently have a web server, reverse proxy, ftp (blush embarrassed - going
to be getting rid of THIS real soon), email, ids, and two dns servers in the
dmz.  Someone has recommended to configure three of these servers (web, dns,
and email) as a time server.  At first, I say - huh - no.  That would mean
opening up two ports on each box and having a new set of potential problems
if i miss anying.  But I am not an expert so I head to google searches and
you for guidance.  Could anyone tell me their configuration or recommend a
"good" configuration for company time servers?  

Thank you
Jenn

P.S  If anyone is at SANS 2003, ping me if you are in track 3 :)
Previous By Date Next
Previous By Thread Next

Current thread: