[c-nsp] NTP stratum 0 source

Sam Crooks scrooks at ebocom.net
Thu Jun 30 14:13:13 EDT 2005 

On a 4th reading of the audit standard, I think that just a GPS-referenced clock would be OK.  It is not for clocking network sync signals, strictly for log data and system clock/calendar  accuracy.

Here's the audit testing requirements:

10.4 Obtain and review the process for getting and distributing the correct time within the organization. Also obtain and review related system parameter settings for the sample of (insert number and/or description of sample) system components. Verify the following is included in the process and implemented: 
	NTP or similar technology is used for time synchronization.
	Two or three central time servers within the organization receive external time signals (directly from a special radio, GPS satellites, or other external sources—based on International Atomic Time and UTC (formerly GMT)), peer with each other to keep accurate time, and share the time with other internal servers (i.e., internal servers should not be all be receiving time signals from external sources). 
	NTP is running the most recent version.
	Specific external hosts are designated from which the time servers will accept NTP time updates (to prevent an attacker from changing the clock). Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the NTP service (to prevent unauthorized use of internal time servers).
See www.ntp.org for more information


I interpret that as: minimum 1 ntp server from GPS or WWVB source, and minimum 2 from internet NTP server and/or GPS/WWVB source.



> -----Original Message-----
> From: Roy [mailto:garlic at garlic.com]
> Sent: Thursday, June 30, 2005 11:07 AM
> To: Sam Crooks
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] NTP stratum 0 source
> 
> 
> What sort of equipment you need depends on whether your want time of day
> or just timing pulses for clocking signals.
> 
> 
> >
> >
> >
> >>-----Original Message-----
> >>From: Sam Crooks [mailto:scrooks at ebocom.net]
> >>Posted At: Thursday, June 30, 2005 9:14 AM
> >>Posted To: Cisco List
> >>Conversation: NTP stratum 0 source
> >>Subject: [c-nsp] NTP stratum 0 source
> >>
> >>
> >>Does anybody have any recommendations on a provider of a
> >>stratum 0 clock
> >>to hookup to a stratum 1 server?    I'm reading through an industry
> >>audit procedure, and it appears to be *required* now to run
> >>your own stratum 1 ntp servers
> >>
> >>
> >>
> >>Sam
> >>
> >>
> >>
> >
> 
> 



CONFIDENTIALITY NOTICE:
This message, and any attachments, are intended only for the lawful and specified use of the individual or entity to which it is addressed and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that you are STRICTLY PROHIBITED from disclosing, printing, storing, disseminating, distributing or copying this communication, or admitting to take any action relying thereon, and doing so may be unlawful. It should be noted that any use of this communication outside of the intended and specified use as designated by the sender, may be unlawful.  If you have received this in error, please immediately notify us by return e-mail, fax and/or telephone, and destroy this original transmission and its attachments without reading or saving in any manner.

More information about the cisco-nsp mailing list