Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Help in NTP server

from [Kevin] Network Security [Permanent Link]
Subject: Re: Help in NTP server
Date: Sat, 13 Nov 2004 01:07:07 -0600 
On Wed, 10 Nov 2004 08:28:30 -0500, Christopher Adickes
<christopher_adickes@shi.com> wrote:

I also have a question about NTP.  This one may seem simple to some.  I'm
setting up a network security device and it needs a key and key ID for it to
use NTP.  I know what they are, but I do not know how to find servers that
need authentication and if I did I do not know how to obtain the key and key 
ID.


I am not aware of any public servers which do authenticated NTP.

Your message implies that your "network security device" will only
accept with the key and ID configured, will not accept unauthenticated
NTP?


In this situation do I need to create my own time server and use keys for
authentication?  If this is the case does anyone know if Linux (Fedora) can
do this?


Any Unix should be able to run the "NTP reference implementation" open
source NTP client/server from http://ntp.isc.org/


Although I don't know of any attacks on ntp, it is a critical service once
you get things like Kerberos running, not to mention the usual reasons
you want to sync time.


There have historically been a number of attacks against NTP client
libraries, on both Unix and also on Cisco gear.



If time is truly critical to you and this is a large LAN, then
you probably
want to look at buying your own GPS driven Stratum 1 server. 


I strongly recommend that in any corporate environment where accurate
time is critical, the purchase and deployment of one or several NTP
server appliances.


Or you can

look at BUILDING a S1 using cheap hardware - see, for example
http://blizzard.rwic.und.edu/~nordlie/ntp-gps/.

Regardless of platform, your S1 server should go inside the LAN.

But more typically you are going to be syncing with a set of
public Stratum
2 servers (or maybe Stratum 1, depending upon the size of your LAN).

If you don't want to punch NTP through your inbound-LAN firewall, then I
would suggest you put time servers in BOTH places:

In the DMZ, sync two DMZ ntp servers with each other and the S2 masters.

In the LAN, Sync two (or more) LAN ntp servers with each other, the DMZ
servers and the S2 masters.

One little trick:  Make sure you have more S2 masters in your
ntp.conf file
than you have DMZ servers.  That way, if somebody hacks your DMZ servers
they'll be seen as outliers and so LAN time will remain in sync with the
rest of the world.


My preference is to deploy multiple GPS-derived Stratum-1 servers
inside the enterprise, and distribute the time out from more trusted
to less trusted.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Pix 515's fail to failover, Ivan Coric
Next by Date:  Re: Hardening ISA Server, Jose Costa
Previous by Thread:  RE: Help in NTP server, Christopher Adickes
Next by Thread:  PIX 6.3, David Koski
Indexes:  [Date] [Thread] [Top] [All Lists]