Re: Re: NTP secure
One disadvantage of running ntpdate is that it "blindly" believes the one
server it contacts, whereas a ntp server can "watch" a couple of servers
and ignore the "insane" ones. Also running NTP long term will calibrate
its software PLL such that when you lose contact with the external world,
the server already has a nice complicated equation that "knows" the system
clock is 44.02341 ppm slow and will attempt to correct it accordingly,
which will give you pretty accurate time during the outage.
Two areas of thought:
One is what kind of accuracy do you need. Where I work we need to compare
recorded outages and alarms with other companies. It helps alot if both
us and "them" have identical clocks. Thus we need to run NTP externally,
like it or not, we have to. On the other hand, if the only reason you
want to run time sync software is the "too lazy to set the clock" effect,
then don't bother running it, because the time spent setting it up and
maintaining it would likely exceed the gain, other than the "coolness"
effect.
Another area of thought is the security issue. DOS attacks on NTP are
pretty irrelevant, because if you need accurate time you'll be monitoring
the NTP server, and will quickly detect and fix denial of services
attacks, yet if you don't need accurate time and you lose NTP, then by
definition it doesn't matter anyway. Noone sells NTP as a service (?) so
if it doesn't work noone outside the I.S. dept will care anyway. The
other area is what damage can be done by generally messing around with
NTP, and although I've hardly audited the code myself, it seems as though
theres almost nothing that could be done by some kind of exploit,
considering that its UDP based and has plenty of code to deal with
"insane" clocks anyway.
I guess the best way to determine if ntp is too "insecure" is to compare
the number of exploits based on NTP vs the number of sendmail or MS IIS
exploits...
----- Forwarded by Vince Mulhollon/Norlight on 10/09/2000 09:16 AM -----
Matthew Whitworth <matthew@okcomputer.org>
10/09/2000 09:02 AM
To: Christian Hammers <ch@westend.com>
cc: debian-firewall@lists.debian.org, (bcc: Vince Mulhollon/Norlight)
Fax to:
Subject: Re: NTP secure
I frequently use ntpdate from a cron job rather than running a full blown
xntpd server.
Matthew
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sign the petition to let Ralph Nader in the Presidential Debates!
http://www.votenader.org/debates/
93222 signatures and not a damn thing from the CPD....
On Mon, 9 Oct 2000, Christian Hammers wrote:
> Hi
>
> I'm wondering if the ntp protocol that operates mainly in UDP can be
> used on a firewall server (to syncronise logfiles) or if it is too
> insecure.
>
> The only information useable for "security" seems, according to
ethereal,
> the originate time stamp which means that an attacker has to be very
fast
> to read this and send an own, faked packet faster than the original
asked
> server.
>
> What would you recommend as time syncroniser on a firewall?
> (No big-company thing that would be worth to buy an DCF77 clock for it's
> own, just a fun project...)
>
> bye,
>
> -christian-
>
> --
> Christian Hammers WESTEND GmbH - Aachen und Dueren Tel
0241/701333-0
> ch@westend.com Internet & Security for Professionals Fax
0241/911879
> WESTEND ist CISCO Systems Partner - Premium Certified
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: