Re: RE: Acqusition of time

[Bennett Todd <bet () rahul net>]

2003-01-29T12:03:56 Brian Monkman:
> We are talking about a firewall farm. We want the time to be sync'ed 
> between all of the firewalls. Logs go to a central logging server. 
> Reason for the sync'ing, to ensure that time is accurate across all of 
> the firewalls in order to facilitate forensics and event correlation.

Yup, you want synchronized time.

> In your opinion - should we have a battery backed-up clock on these 
> firewalls or is the network time source sufficient?

Getting clocks to stay synchronized over a long stretch of time ---
firewalls routinely stay up for years at a stretch --- is tricky,
it's something physicists have been working on for some years.

Battery-backed clocks are standard in PCs, they're good for getting
your system clock within a few seconds after a short stretch of
being powered down, but in no way do they help keep system clocks
locked in perfect sync (i.e. much less than one seconds skew) over a
period of months. For that you need an online sync.

xntpd doesn't have a perfect security track record; if you must use
it, make sure you precisely define your time distribution tree, and
use packet filters to prevent people from attacking. NB also that in
neighborhoods like firewall plants, it's good juju to wire in MAC
addrs in switch ports and arp tables, to make it harder for people
to forge traffic.

I really loathe being forced to do that kind of hardening to attempt
to shield weak software. xntpd is a magnificent engineering
achievement for its vintage, but it's really crufty.

I'd use clockspeed[1] instead.

You still will want to define a time distribution tree, and
suspenders-and-belt mindset would argue for protecting it with
packet filtering as well, but it's not an attractive nuisance.

-Bennett

[1] <URL:http://cr.yp.to/clockspeed.html>

Attachment: _bin
Description: