For all my servers except the SecurID servers I run NTP. NTP comes from
several firewalls through several ISP lines to different ISPs. This is to
reduce the possiblity of attacks. I would like to get a dedicated GPS clock
as well, if it ever gets approved. To synchronize SecurID, I run a process
that does a 'ntpdate -d to a ring of NTP servers at random times a couple
times a day to get the difference. The script also checks the amount of
time to move. If the difference is less than XX seconds, it does the
ntpdate again without the "-d". If it is more than XX seconds it refuses
the update and sends me a warning email instead. I believe to cause SecurID
to deny service you will need to move the clocks at least 2 minutes off the
mark within a week, assuming that the average person signs on once a week.
Anyone who signs on more than once a week would be unaffected because
SecurID will just start sensing that those tokens are drifting.
Is the above foolproof? No, fools are just too resourceful :-). Does it
make things harder to circumvent? I would hope so. Please note in the
above that I am not disclosing the XX second value. This is so that anyone
who may try to break in does not know my warning threshold.
On Thursday, June 22, 2000 5:59 AM, Mikael Olsson
[SMTP:[EMAIL PROTECTED]] wrote:
>
>
> [EMAIL PROTECTED] wrote:
> >
> > I want to synchronise the time on my firewalls with ntp. Can anyone tell
me what method is more secure: synchronise with an external server on the
Internet or synchronise the time with my internal timeserver ?
>
> To address the external time server bit:
> It is _very_ insecure. Pretty much anyone can spoof time responses to your
queries.
> If you're using time based security in some way (timed firewall rules or
> SecurID tokens), this can create anything from unwanted firewall holes to
> DoS as the SecurID tokens can't be used to log on to your servers (their
> clocks are all wrong).
>
> Go with some internal solution. As Bret suggested, GPS is probably
> good enough for 99% of all organizations out there.
>
>
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
> Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
> Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
> WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
