Date: Fri, 5 Jul 2002 20:29:16 -0700 (PDT) From: twig les <twigles@yahoo.com> To: Brian Reichert <reichert@numachi.com>, Kim Okasawa <kimokasawa@hotmail.com> Cc: _@r4k.net, freebsd-security@freebsd.org Subject: NTP security - (was Any security issues with root's cron job?) Message-ID: <20020706032916.35363.qmail@web10105.mail.yahoo.com> In-Reply-To: <20020705161934.E259@numachi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
The way we skirt the issue of having our own secure source is to get our border routers to poll a couple of servers on the internet and then the servers can poll them. There are a number of possible attacks on this, but we're not getting 20 grand for our own source anytime soon and at least this way we can pin-hole the access-lists. And since we're running beefy border routers, any DoS based on amount of traffic would be less likely to work. I'm open to ideas. --- Brian Reichert <reichert@numachi.com> wrote: > On Sat, Jul 06, 2002 at 05:07:06AM +0900, Kim > Okasawa wrote: > > >From: Stephanie Wehner <_@r4k.net> > > >To: Kim Okasawa <kimokasawa@hotmail.com> > > >Subject: Re: Any security issues with root's cron > job? > > >Date: Wed, 3 Jul 2002 16:48:37 +0200 > > > > > >Hi Kim, > > > > > > > Can anyone think of any potential security > risks to such practice? > > > >Any suggestions and comments are greatly > appreciated. Thank you! > > > > > >Not from the cronjob directly, however why would > you want to change > > >your ipfw rule set according to time ? > > > > > >What I would check in this case is how your > machine keeps time, > > >eg it must be rather accurate. Also, by getting > timing information > > >from a remote ntp server for example would then > mean you place your > > >firewall rules pretty much into their hands. > > > > > > > Hi Stephenie: > > > > Good thinking. You are absolutely right! The > time should be rather > > accurate in order for this to function correctly. > How about letting the > > server to run its ntp service? Clients who want > to access to the server > > would have to sync with it if necessary. But this > means that the firewall > > needs to open the ntp port and may create other > problems. > > You don't _need_ a NTP server on your vault if you > have access to > one that you trust. I feel that most institutions > should set up a > peered set of stratum-3 servers, out of hand, and > sync internal > hosts to those; this cuts down on network traffic, > if nothing else. > > (You could even force them to use your time > server(s) via divert.) > > If your vault is to merely be an NTP client, then it > will poll your > time server(s); you can firewall out spoofed > replies. > > If your time server is also to be a NTP server, then > it will need > to be able to serve requests from your LAN. > > These are both easily locked down via ipfw. > > > > > What I want is to create a virtual timed vault > that only allow the world to > > access to certain services within a specific > period of time. In my case, > > some services/ports don't need to be available to > the public from 8PM-8AM. > > Closing those ports may mean less troubles. > > > > Any suggestion on how to deal with the ntp > problem? Thanks. > > > > Best Regards, > > Kim > > > > > > > _________________________________________________________________ > > MSN Photos is the easiest way to share and print > your photos: > > http://photos.msn.com/support/worldwide.aspx > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > the message > > > > -- > Brian 'you Bastard' Reichert <reichert@numachi.com> > 37 Crystal Ave. #303 Daytime number: (603) > 434-6842 > Derry NH 03038-1713 USA Intel architecture: the > left-hand path > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020706032916.35363.qmail>