Date: Fri, 5 Jul 2002 22:41:26 -0600 From: "David G . Andersen" <danderse@cs.utah.edu> To: twig les <twigles@yahoo.com> Cc: Brian Reichert <reichert@numachi.com>, Kim Okasawa <kimokasawa@hotmail.com>, _@r4k.net, freebsd-security@FreeBSD.ORG Subject: Re: NTP security - (was Any security issues with root's cron job?) Message-ID: <20020705224126.A23004@cs.utah.edu> In-Reply-To: <20020706032916.35363.qmail@web10105.mail.yahoo.com>; from twigles@yahoo.com on Fri, Jul 05, 2002 at 08:29:16PM -0700 References: <20020705161934.E259@numachi.com> <20020706032916.35363.qmail@web10105.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
twig les just mooed:
> The way we skirt the issue of having our own secure
> source is to get our border routers to poll a couple
> of servers on the internet and then the servers can
> poll them. There are a number of possible attacks on
> this, but we're not getting 20 grand for our own
> source anytime soon and at least this way we can
> pin-hole the access-lists. And since we're running
> beefy border routers, any DoS based on amount of
> traffic would be less likely to work.
>
> I'm open to ideas.
20 grand? Fear that. If you go for a cheap-o solution, you
can do it for ~$400. If you want a plug-and-go solution, I'd
suggest:
- For about $1000, buy a Praecis Ct from EndRun Technologies
http://www.endruntechnologies.com/
I have about 15 of them deployed right now. They pick
GPS time from the CDMA cellular network. You can get 10 microsecond
time inside of most machine rooms, without an external antenna.
(If your cell phone works there, this probably will).
US only
Emulates a Trimble Palisade, plays very well with ntpd,
requires no kernel changes.
- For less than that, buy an Oncore UT+ eval kit from
Synergy GPS (http://www.synergy-gps.com/)
You want the UT+, not the other models, because this one's
optimized for timekeeping. Has all the features you'll want,
plays well with ntpd.
For best results, requires
options PPS_SYNC
Works worldwide, requires antenna placement with a decent view
of the sky. Once it's found itself, though, the UT+ can keep
time with very few satellites, a definite bonus.
I have several of each of these in a "production" network (well,
a production distributed testbed), and I really like them both.
The UT+ took a bit more work to set up, but if you get one, send
me a note, and I'll mail you the configuration stuff. It's really
quite simple overall. The EndRun boxes simply kick butt for use
in the US.
With all of these, however, you'll still want to peer with some
external timeservers as a sanity check. I've had one occurrence
when the cellular network was broadcasting bad time. It was
fixed within an hour of when I reported it (it breaks hand-off),
and Verizon said it was the only one of their cellular towers that
was off, but it does happen.
If you're doubly paranoid, do said sanity checking with a source
that'll do authentication with you.
-Dave
--
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020705224126.A23004>