Firewall Wizards mailing list archives
Re: NTp config - for the databases :}
From: John Painter <tjp () conflux net>
Date: Fri, 13 Mar 1998 16:03:26 -0800
This spoofing problem is easily dealt with. use a 12 channel GPS with the receiving antenna significantly protected from physical attack. Since the GPS receiver calculates the time of arrival of a sats signal vs the time of arrival of the other sats signal and uses the incoming signals to determine longitude and latitude (and elevation), the spoofer must transmit multiple correct sat signals with appropriate delays to spoof a different time and correctly place your location (within 300 or so meters and 600 or so elevation) so a sanity check of the long/lat/el would not show you being spoofed. Some three letter acronyms may be able to pull it off, but few others. If you were sufficently paranoid, a multiple antenna array of az/el controllable antennas would let you point directional antennas at each viewable sat. in the sky and you could sanity check across each sat. For the WWV spoofer, just use a set of directional antenna arrays spaced far enough apart that a low power transmitter would show up as being in the wrong direction to at least one of the receivers. You could also use a transmitter signature analyzer to make sure you were listening to the one and only WWV 5MHz, CHU, WWVH-5Mhz, etc... Since radios made on the same assembly line show up with different transmitter signatures it would be easy to tell. Amatuer radio repeater operators use transmitter signatures to secure access to control functions on some repeaters, to identify malicious users, etc. I also log changes to our system clocks by NTP just in case ... At 8:01 AM -0800 3/13/98, Joseph S. D. Yao wrote:
Add a couple of radio receivers to the lot (radio-to-ntp boxes are available for reasonable prices) which gives you in-house stratum-1 servers to complement the internet servers.Reminds me of [don't laugh] a Superman television show episode, where Supes got the National Atomic Clock folks to speed up their radio signal to get the crook to emerge before the statute of limitations ran out. [There were other indications in that episode, looking back as an older self, that they were stretching for plot ideas by then.] You don't have to be Superman. Just put a transmitter antenna close to the receiving antenna, and make the transmitter just powerful enough to override and spoof the real time signal. As long as we're being careful about looking for the perfect time source ... -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO Computer Support EMT-A/B ----------------------------------------------------------------------- PLEASE ... send or Cc: all "COSPO Computer Support" mail to sys-adm () cospo osis gov ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
-- John Painter, Principal Consulting Engineer, Grand Designs, Ltd., ConfluX.net Internet Buisness Unit <http://www.gdltd.com/>, <http://www.conflux.net/>
Current thread:
- RE: DNS -vs- the firewall: security thoughts Joe Ippolito - President SVNPA (Mar 11)
- NTp config - for the databases :} Bret Watson (Mar 12)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 12)
- Re: NTp config - for the databases :} Bret Watson (Mar 12)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 13)
- Re: NTp config - for the databases :} Bret Watson (Mar 13)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 12)
- Re: NTp config - for the databases :} Joseph S. D. Yao (Mar 13)
- Re: NTp config - for the databases :} John Painter (Mar 14)
- NTp config - for the databases :} Bret Watson (Mar 12)
- Firewall Audit Programme/checklist Bret Watson (Mar 16)
- Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 16)
- Re: Firewall Audit Programme/checklist Chad Schieken (Mar 16)
- Re: Firewall Audit Programme/checklist Bret Watson (Mar 17)
- Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 17)
- Re: Firewall Audit Programme/checklist blast (Mar 17)
- Re: Firewall Audit Programme/checklist tqbf (Mar 16)
- Re: Firewall Audit Programme/checklist kant (Mar 16)
- <Possible follow-ups>
- RE: DNS -vs- the firewall: security thoughts Itai Dor-on (Mar 12)