NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Time Synchronization



I did this a few months back and it works great.. we're using our main cluster
as our master time clock - it syncs with the atomic clock at the US Naval Observatory
and then all of our other servers and clients (NT) sync with it. That way you allow the traffic
only from one IP to another (USNO to Our Server) and can block port 123 to all other hosts
on your net.  If you have NT hosts, be sure to edit the event viewer to "overwrite as necc"
because NT records the drift file info to the event viewer  and your log will
fill up sooner or later.  A quick google search on ntp will keep you busy
for a while I bet! This should get you off to a good start though:

http://www.eecis.udel.edu/~ntp/ntpfaq/NTP-a-faq.htm

Time sync can be considered a security liability IMHO only when you have enryption routines
or firewall access groups etc based on time.  I don't have any time based access stuff set up..
YMMV. Are there other liabilities there? Anyone?

On the plus security side, you can synchronize your routers, servers, FW & IDS logs, etc to the milisecond
which AFAIK is what has to be done for the evidence of an attack to hold up in court.. Obviously I'm one
of those who felt the plusses greatly outweighed the minuses..

hth

- Joe

>>> Erin Young <[email protected]> 10/10/01 11:43AM >>>
We are trying to synchronize time on our domain. One of our system
administrators wants to use the atomic clock on the internet. We will be
utilizing the SNTP protocol on port 123/udp inbound and outbound. Do you see
any issues with allowing this traffic? Also, are there any suggestions on
how to impliment time synchronization using the atomic clock on the
internet?

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.