Firewall Wizards mailing list archives

Re: Time syncing firewalls

From: "Steven M. Bellovin" <smb () research att com>
Date: Fri, 03 Dec 1999 21:07:17 -0500

In message <Pine.GSO.4.20.9912021309200.26387-100000 () carerra corp vicinity com>
, "Aaron D. Turner" writes:


We're using a number of FW-1 firewalls with SKIP to provide VPN
services between various locations around the world.  One problem
we're seeing is that every few weeks the VPN will go down for no
apparent reason.  After talking with Checkpoint, the consensus appears
to be that the firewalls are having clock drift which SKIP is very
sensitive too.


You could switch to real IPsec...


So, I was wondering what other people were using for secure
time-syncing firewalls running on Solaris.  NTP?  timed?  I'd prefer
NTP so that I can keep the firewalls in sync with other equipment
which generates logs for log syncing purposes, though I'm a bit
concerened about opening another port on the firewalls.


GPS receivers are cheap, and they can serve as stratum 1 NTP clocks.  Set up 
your own, internal NTP mesh, using at least two stratum 1 clocks in different 
locations.

                --Steve Bellovin

Current thread:

Time syncing firewalls Aaron D. Turner (Dec 03)
- Re: Time syncing firewalls Darren Reed (Dec 06)
- <Possible follow-ups>
- Re: Time syncing firewalls Steven M. Bellovin (Dec 06)
- RE: Time syncing firewalls Squire, Jonathan (Dec 07)