Re: All the members of a network are trusted ho sts

I have a network of about 200 servers which must be time synchronized with
security.
I project to use Autokey with Trusted Certificate identity scheme.

I need to divide the network in trusted groups.

I lack arguments in order to decide how to define or select trusted hosts
and groups among the network.

The definition of trusted host I found in the documentation is:

A trusted host has the lowest stratum in the group and has trusted
certificates (in my understanding, if ntp-keygen is used, ntp-keygen -T was
executed.)

Could you give a list of characteristics a trusted host should comply with?

-secured system (example the physical access to the system is controlled ..
-The server is a reliable source of time (even though it does not have the
lowest stratum of the network)
...;

The documentation shows groups composed of 2 to 4 systems with a maximum of
3 levels (the trusted server connected to a non trusted server itself
connected to an other non trusted system.)
I plan to follow these rules.

Cordially,


Alain BARTHOLOMÉ



-----Message d'origine-----
De : Danny Mayer [mailto:mayer@xxxxxxx]
Envoyé : dimanche 15 février 2009 16:33
À : Bartholome, Alain
Cc : 'questions@xxxxxxxxxxxxx'
Objet : Re: [ntp:questions] All the members of a network are trusted hosts

Bartholome, Alain wrote:
Hi,

Could you tell me what are the consequences especially from the security
point of view , if all the members of the network which must be
synchronized are trusted hosts, have trusted generated certificates.


Well you can rely on them when using the autokey protocol to provide you
with a reliable source of time.

Does this make any sense?

Does this makes sense for trusted certificate only?


It's a little hard to interpret since you haven't defined what you mean
by trusted hosts and trusted generated certificates. Are the trust hosts
trusted because you've used DNSSEC to find them, or some other method?
What is trusted about them? With certificates, who and what generated
the certificates and how were they distributed to other nodes?

Maybe a little more explanation of your needs would help so we can
answer the question.

Danny


Thanks for your answer.



Alain BARTHOLOMÉ





_______________________________________________
questions mailing list
questions@xxxxxxxxxxxxx
https://lists.ntp.org/mailman/listinfo/questions


.

Relevant Pages

  • Re: RADIUS and Certs
    ... Another option is to buy comercial certificates from third parties. ... IAS on our Windows 2003 server so we can use AD and stop having to ... We are a Windows 2000 domain with W2003 member servers. ... If you install a CA on your production network you won't be able to easily ...
    (microsoft.public.internet.radius)
  • Re: SBS VPN Strengthening
    ... I definitely agree that Windows Server comes with all the tools you need to ... Also see Network Access Quarantine Control, ... will require a driver or other software on the client PC. ... Can we have IPSEC VPN possibly with Certificates for authentication ...
    (microsoft.public.windows.server.sbs)
  • How to set up 802.1x clarification
    ... Here's my network: Single domain model, all Server 2003-R2 Standard ... Install Certificate Services. ... Do I need to install certificates on the workstations as well as ...
    (microsoft.public.windows.server.security)
  • Re: [Full-disclosure] HTTP AUTH BASIC monowall.
    ... Since there aren't that many truly critical systems (in my network) ... They need to blindly accept unsigned SSL certificates, ... connect them to the server. ... Harvard Security Group ...
    (Full-Disclosure)
  • Re: All the members of a network are trusted hosts
    ... if all the members of the network which must be ... synchronized are trusted hosts, have trusted generated certificates. ...
    (comp.protocols.time.ntp)
Loading