[c-nsp] NTP network design considerations

harbor235 harbor235 at gmail.com
Fri Oct 14 14:41:45 EDT 2022


I hear what your saying but NTP is an active attack vector, I don't trust
outside resources implicitly and traffic segmentation is a prudent measure
especially if you are getting internet time. Now if you have your own
stratum1 then I understand your point more.


Mike

On Fri, Oct 14, 2022 at 10:45 AM Gert Doering <gert at greenie.muc.de> wrote:

> Hi,
>
> On Fri, Oct 14, 2022 at 10:27:16AM -0400, harbor235 via cisco-nsp wrote:
> > How are you integrating NTP into your infrastructures? Is it part of your
> > management network(s)?
>
> NTP servers (appliances from Meinberg and regular FreeBSD servers,
> basically)
> are just sitting "on the Internet" and our machines sync to them, and
> monitor their relative times (= so if one is misbehaving, NTP will
> do the right thing on its own, and monitoring will tell us so we can
> fix it).
>
> The machines protect themselves by local iptables rules for SSH/https,
> and in-band by NTP access rules ("serve time to everyone, serve larger
> responses only to management systems, do not believe anyone").
>
> I've never understood this obsession on filtering things that are intended
> to be put out in the wild.
>
> gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>                              Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
>


More information about the cisco-nsp mailing list