Security Basics mailing list archives

Re: NTP recommedations

From: Ned Fleming <ned () kaw us>
Date: Thu, 13 Mar 2003 09:13:45 -0600

On Tue, 11 Mar 2003 20:32:02 -0500, "Jennifer Fountain"
<JFountain () rbinc com> wrote:

I am currently looking into configuring my company's time servers.


A couple of things:

You can probably skip making ntp servers out of your DMZ-based
machines.

Set up your ntp servers on your corporate LAN and allow them, and only
them, to contact external ntp sources (port 123, I believe). Your
internal ntp servers should get their data from dispersed sources. (We
use those in Boulder, Houston, and Washington.)

Give your internal ntp servers alias DNS names. For example, say
you're running a Linux boxed called webserver.rbinc.com, which is
running apache. You put ntp on this box to make it an ntp server. Give
it the DNS name of clock.rbinc.com, and make sure people use this name
to access the service. Call the other ones tick.rbinc.com and
tock.rbinc.com. That way you can move the service around to different
boxes as you need to.

Current thread:

NTP recommedations Jennifer Fountain (Mar 12)
- RE: NTP recommedations Burton M. Strauss III (Mar 13)
- Re: NTP recommedations Ned Fleming (Mar 13)
- Re: NTP recommedations Darren Van Booven (Mar 18)
- Re: NTP recommedations Bear Giles (Mar 26)
- <Possible follow-ups>
- Re: NTP recommedations Tace (Mar 13)
- RE: NTP recommedations Dan Fiorito (Mar 13)