You can minimize your risk by picking a single machine on the inside to act
as an NTP server to the rest of your internal machines, then allow NTP from
only that machine out. You can also select a specific set of internet NTP
servers to allow the traffic to (see
http://www.boulder.nist.gov/timefreq/service/nts.htm for a good list).
Not a perfect solution, but secure enough for most implementations.
Dan Hitchcock
MCSE, CCNA
Network Engineer
HomeStreet Bank
206.389.4467
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 09, 2000 12:25 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [FW1] NTP
On Wed, 24 May 2000 [EMAIL PROTECTED] wrote:
> I want to synchronize time on the servers behind the firewall via the
> internet. Is it ok to allow ntp via the firewall into the internet for
> time synchronization.
you really need to perform a risk assessment for your environment.
since ntp uses udp/123, it makes it much easier to spoof time messages.
the attack would be to spoof a time message to make forensic analysis
harder. although, if the attacker makes the time change too large and too
fast, the ntp client will disregard it.
if you can afford it, get an internal time source that can use md5 for
authentication.
no simple answers.
- brett
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
