Firewall Wizards mailing list archives
Re: NTp config - for the databases :}
From: kees () echelon nl (Kees Hendrikse)
Date: Thu, 12 Mar 1998 23:58:21 +0100 (MET)
Bret Watson wrote:
Just finished an implementation for a client and had the resources to do it properly :} here is a listing of overkill in the NTp world... three server time1,2,3 each referencing six external stratum 1 clocks geographically dispersed with no overlap - i.e. 18 stratum 1's in total. Each server also peers with the other two.
(..)
What does this mean in security terms? NTP is a udp protocol so prediction is not a problem, you just have to wait for the outgoing request and reply on that request. As this particular site has a single cable going out - its not hard to capture the total traffic.
(..) There's your single point of failure. If I manage to block all ntp data going *to* your site I can get complete control over the networks notion of time by spoofing only **one** of your 18 reference servers. NTP will happily follow this one phoney server, as long as it believes the other 17 are dead. I don't even have to be careful with time changes. Now that the phoney server is the only reference, NTP will follow it all the way. Add a couple of radio receivers to the lot (radio-to-ntp boxes are available for reasonable prices) which gives you in-house stratum-1 servers to complement the internet servers. -- Kees Hendrikse | email: kees () echelon nl | web: www.echelon.nl ECHELON consultancy and software development | phone: +31 (0)53 48 36 585 PO Box 545, 7500AM Enschede, The Netherlands | fax: +31 (0)53 43 36 222
Current thread:
- RE: DNS -vs- the firewall: security thoughts Joe Ippolito - President SVNPA (Mar 11)
- NTp config - for the databases :} Bret Watson (Mar 12)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 12)
- Re: NTp config - for the databases :} Bret Watson (Mar 12)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 13)
- Re: NTp config - for the databases :} Bret Watson (Mar 13)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 12)
- Re: NTp config - for the databases :} Joseph S. D. Yao (Mar 13)
- Re: NTp config - for the databases :} John Painter (Mar 14)
- NTp config - for the databases :} Bret Watson (Mar 12)
- Firewall Audit Programme/checklist Bret Watson (Mar 16)
- Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 16)
- Re: Firewall Audit Programme/checklist Chad Schieken (Mar 16)
- Re: Firewall Audit Programme/checklist Bret Watson (Mar 17)
- Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 17)