Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Time Synchronization

To: [email protected]
Subject: Re: [FW-1] Time Synchronization
From: Petrás István <[email protected]>
Date: Fri, 12 Oct 2001 10:13:49 +0200
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

UNSUBSCRIBE fw-1-mailinglist

-----Original Message-----
From: Robert C. Wessel [mailto:[email protected]]
Sent: Thursday, October 11, 2001 10:39 PM
To: [email protected]
Subject: Re: [FW-1] Time Synchronization

At 08:43 AM 10/10/01 -0700, you wrote:
>We are trying to synchronize time on our domain. One of our system
>administrators wants to use the atomic clock on the internet. We will be
>utilizing the SNTP protocol on port 123/udp inbound and outbound. Do you
see
>any issues with allowing this traffic?

Set up your firewall to allow the (S)NTP traffic from your internal time
client(s) to and from the list of approved external time servers only.
There is a theoretical risk that the replies could be spoofed, but...  In
any event set up your time client to perform sanity checks (eg. refuse to
change the current time by more than 2 minutes, or something like that).
Hitting more than one external clock can reduce that vulnerability, or if
you're really paranoid about it, get a GPS receiver.

> Also, are there any suggestions on
>how to impliment time synchronization using the atomic clock on the
>internet?

With an (S)NTP client?

But seriously, only set up one or two internal time clients that go
outside, and have everyone else hit those - it's impolite (and bad policy)
to have everyone on your network hitting the public servers.  It's also not
unreasonable to put the NTP clients that go outside on your DMZ, and
another time server on your internal network pointing to the one(s) on the
DMZ.

>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>
>===========================================================================
=====
>     To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>

============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW-1] Time Synchronization
Next by Date: [FW-1] SPs
Previous by thread: [FW-1] Exchange_ports_1 Infiltration?
Next by thread: Re: [FW-1] Time Synchronization
Index(es):
- Date
- Thread