[c-nsp] NTP network design considerations
Gert Doering
gert at greenie.muc.de
Fri Oct 14 10:45:34 EDT 2022
Hi,
On Fri, Oct 14, 2022 at 10:27:16AM -0400, harbor235 via cisco-nsp wrote:
> How are you integrating NTP into your infrastructures? Is it part of your
> management network(s)?
NTP servers (appliances from Meinberg and regular FreeBSD servers, basically)
are just sitting "on the Internet" and our machines sync to them, and
monitor their relative times (= so if one is misbehaving, NTP will
do the right thing on its own, and monitoring will tell us so we can
fix it).
The machines protect themselves by local iptables rules for SSH/https,
and in-band by NTP access rules ("serve time to everyone, serve larger
responses only to management systems, do not believe anyone").
I've never understood this obsession on filtering things that are intended
to be put out in the wild.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20221014/bc8563e8/attachment.sig>
More information about the cisco-nsp
mailing list