I hear what your saying but NTP is an active attack vector, I don't trust outside resources implicitly and traffic segmentation is a prudent measure especially if you are getting internet time. Now if you have your own stratum1 then I understand your point more.
Mike On Fri, Oct 14, 2022 at 10:45 AM Gert Doering <g...@greenie.muc.de> wrote: > Hi, > > On Fri, Oct 14, 2022 at 10:27:16AM -0400, harbor235 via cisco-nsp wrote: > > How are you integrating NTP into your infrastructures? Is it part of your > > management network(s)? > > NTP servers (appliances from Meinberg and regular FreeBSD servers, > basically) > are just sitting "on the Internet" and our machines sync to them, and > monitor their relative times (= so if one is misbehaving, NTP will > do the right thing on its own, and monitoring will tell us so we can > fix it). > > The machines protect themselves by local iptables rules for SSH/https, > and in-band by NTP access rules ("serve time to everyone, serve larger > responses only to management systems, do not believe anyone"). > > I've never understood this obsession on filtering things that are intended > to be put out in the wild. > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/