Re: NTP Server(s)
- From: "Thrill5" <nospam@xxxxxxxxxxxxx>
- Date: Thu, 31 May 2007 12:49:48 -0400
I work for a Fortune 500 company and from talking with our Cisco sales
engineer, the following setup is pretty much the norm in most large
enterprises.
First, you would purchase multiple NTP appliances (such as TrueTime
mentioned by the previous poster) and have them sync using GPS and thus be a
stratum 1 NTP servers with no internet access required. You would install
three of them at three different geographic locations. You would then
configure your primary devices to sync to all of the them. Only one will be
used, but if one of them goes flaky, NTP is smart enough to figure out which
one is "off" if you have at least 3 configured sources. If you have only one
NTP server and it goes bad, time will be off on your entire network. Since
everything will synced together this is not necessarily a bad thing. If you
have two NTP servers and one of them goes flaky, half the devices will think
the good one is good, and the other half will thing the bad one is good. If
you have three, and one goes bad, everything will sync to one of the two
good ones.
In our organization, we have three TrueTime NTP-200's and the primary domain
controllers for AD sync to them, multiple NDS servers, the mainframe and
other unix servers. All of the PC clients sync to the AD domain controllers
or the NDS servers. We have three routers that sync to the NTP servers and
have all of our network devices sync to those three routers. The NTP
servers are on the internal network and our firewall between the DMZs and
the internal network allow NTP between the them. No NTP is permitted
to/from the internet. Our Internet routers in front of the firewall sync to
3 publicly accessible NTP servers on the internet. We have been running
this scenario for about 10 - 12 years without any issues. The TrueTime
servers were last replaced about 3 years ago because they almost 10 years
old and we figured we needed a refresh.
Scott
"J.Cottingim" <jcottingim@xxxxxxxxx> wrote in message
news:1180582841.111994.151770@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Pat,
It sounds as if personal opinions (both yours and another engineer)
disagree about a trivial matter.
Having worked for at least one of the fortune 200 companies you
mentioned and worked in the Cisco networking world for over 10 years,
I've never placed the NTP server in a DMZ. So in this instance, I
would have to agree with you.
However...
The purpose for placing something behind a firewall (in a DMZ) is to
secure it. But NTP *is* secure. And if someone finds a security flaw
in NTP, it would be worth placing it behind a firewall, then allow
ONLY known hosts to access it only on the necessary port (UDP 123).
If the NTP server is more than **just** a NTP server, - like running
on ANY Operating System (Linux, Solaris, Windows, MacOS, etc.) then
you *should* place it in the DMZ - simply because of the insecure
nature of the OS. - But fortune 200 companies would use dedicated NTP
appliance such as the ones from TrueTime.
Who cares where it is. Yes, it will cause extra work because of it's
placement behind the firewall. - But it isn't that hard.
My guess is that your NTP server is not an appliance - and there's
really nothing wrong with that. But put it in the DMZ.
Let your ego go, it'll make you a much better engineer in the long
run.
Good luck.
JC
.
- References:
- NTP Server(s)
- From: PatG
- Re: NTP Server(s)
- From: J.Cottingim
- NTP Server(s)
- Prev by Date: PIX VPN w/MPLS routing
- Next by Date: Re: TCP Window Size
- Previous by thread: Re: NTP Server(s)
- Next by thread: udld doubt
- Index(es):
Relevant Pages
|
