Firewall Wizards mailing list archives

Re: RE: Acqusition of time

From: Joseph S D Yao <jsdy () center osis gov>
Date: Thu, 30 Jan 2003 15:36:18 -0500

On Wed, Jan 29, 2003 at 12:29:56PM -0500, Paul D. Robertson wrote:

On Wed, 29 Jan 2003, Brian Monkman wrote:

Ok - so something more specific this time.

We are talking about a firewall farm. We want the time to be sync'ed 
between all of the firewalls. Logs go to a central logging server. 
Reason for the sync'ing, to ensure that time is accurate across all of 
the firewalls in order to facilitate forensics and event correlation.

In your opinion - should we have a battery backed-up clock on these 
firewalls or is the network time source sufficient?


If the criterion is that the firewalls be synchronized to some standard, 
then I suppose the real issue is what happens if a single firewall is 
rebooted and unable to reach either the time server or the logging server 
(if it's syslog, you don't even know you didn't get there?)

(UDP-based syslogs were heavily affected by SQL-Slammer for instance.)
  
Battery back-up helps for the reboot instance, and (potentially, though 
not normally) for the timeserver goes down instance.  If there's defined 
behaviour for "system rebooted and couldn't reach the timeserver" and it's 
materially seperable from "just after midnight," then I don't suppose 
there's much of an issue, you can put things back together by deltaing 
once you do get reliable time information.


Battery back-up clocks MUST periodically have the network-based time
written into them!  Otherwise, when the system re-boots, you get the
battery back-up clock's time, whatever it might just happen to be!

Most battery hardware clocks aren't very expensive, so this seems like
a cheap and reasonable backup to syncing off the NTP source(s).

--
Joe Yao                         jsdy () center osis gov - Joseph S. D. Yao
OSIS Center Systems Support                                     EMT-B
-----------------------------------------------------------------------
            PLEASE ... send or Cc: all "OSIS Systems Support"
                     mail to sys-adm () center osis gov
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Acqusition of time, (continued)
- RE: Acqusition of time Noonan, Wesley (Jan 29)
  - RE: Acqusition of time dave (Jan 29)
    - RE: Acqusition of time Paul D. Robertson (Jan 29)
    - RE: Acqusition of time dave (Jan 29)
    - RE: Acqusition of time Paul D. Robertson (Jan 29)
    - RE: Acqusition of time dave (Jan 29)
    - RE: Acqusition of time Tina Bird (Jan 29)
    - Re: Acqusition of time Volker Tanger (Jan 29)
- Re: RE: Acqusition of time Brian Monkman (Jan 29)
  - Re: RE: Acqusition of time Paul D. Robertson (Jan 29)
    - Re: RE: Acqusition of time Joseph S D Yao (Jan 30)
  - Re: Acqusition of time Volker Tanger (Jan 29)
- Re: Acqusition of time Brian Ford (Jan 29)
  - Re: Acqusition of time Ben Nagy (Jan 30)
    - Re: Acqusition of time Martin Peikert (Jan 30)
    - Re: Acqusition of time Frank Knobbe (Jan 31)
    - Re: Acqusition of time Kevin Steves (Jan 31)
- RE: Acqusition of time Reckhard, Tobias (Jan 31)
  - Re: Acqusition of time Martin Peikert (Jan 31)