Not sure if this was mentioned, but you could try seeing if your firewall supports NTP. Many firewalls these days can be setup as a broadcast server...your firewall can get the time from an external source and then your internal servers can get your time from the firewall (acting as an NTP server). I think this is safer than allowing your servers to hit the Internet (often not permitted by security policy) and less of a pain, as you just permit UDP 123 to your NTP authority and nothing else. Other options have already been touched on (using DMZ servers, etc.).
Darren Van Booven ----- Original Message ----- From: "Jennifer Fountain" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 11, 2003 7:32 PM Subject: NTP recommedations > I am currently looking into configuring my company's time servers. My initial thoughts were setting up two or three in the dmz and configuring them to update their time on a regular basis (haven't defined regular yet) and then install two or three interal time servers that query these servers. I currently have a web server, reverse proxy, ftp (blush embarrassed - going to be getting rid of THIS real soon), email, ids, and two dns servers in the dmz. Someone has recommended to configure three of these servers (web, dns, and email) as a time server. At first, I say - huh - no. That would mean opening up two ports on each box and having a new set of potential problems if i miss anying. But I am not an expert so I head to google searches and you for guidance. Could anyone tell me their configuration or recommend a "good" configuration for company time servers? > > Thank you > Jenn > > P.S If anyone is at SANS 2003, ping me if you are in track 3 :) >