[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Time Synchronization
I did this a few months back and it works great.. we're using our main cluster as our master time clock - it syncs with the atomic clock at the US Naval Observatory and then all of our other servers and clients (NT) sync with it. That way you allow the traffic only from one IP to another (USNO to Our Server) and can block port 123 to all other hosts on your net. If you have NT hosts, be sure to edit the event viewer to "overwrite as necc" because NT records the drift file info to the event viewer and your log will fill up sooner or later. A quick google search on ntp will keep you busy for a while I bet! This should get you off to a good start though: http://www.eecis.udel.edu/~ntp/ntpfaq/NTP-a-faq.htm Time sync can be considered a security liability IMHO only when you have enryption routines or firewall access groups etc based on time. I don't have any time based access stuff set up.. YMMV. Are there other liabilities there? Anyone? On the plus security side, you can synchronize your routers, servers, FW & IDS logs, etc to the milisecond which AFAIK is what has to be done for the evidence of an attack to hold up in court.. Obviously I'm one of those who felt the plusses greatly outweighed the minuses.. hth - Joe >>> Erin Young <[email protected]> 10/10/01 11:43AM >>> We are trying to synchronize time on our domain. One of our system administrators wants to use the atomic clock on the internet. We will be utilizing the SNTP protocol on port 123/udp inbound and outbound. Do you see any issues with allowing this traffic? Also, are there any suggestions on how to impliment time synchronization using the atomic clock on the internet? _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|