You really don't *NEED* NTP for the Ace server. I myself don't run NTP. I
do a 'ntpdate -d' to get the time differential, and then run a 'date -a' to
adjust the time if the difference is less than a few seconds. NTP opens you
up to time shifting attacks, and a possible system wide denial of service
attack if it ever fails for a long period of time and the time shifts off
more than a minute and then all of a sudden NTP fixes the time.
But, on the other hand, having the correct time on the Ace server makes
investigations easier, and if you want to prosecute someone, is mandatory if
you want to submit the logs as evidence.
Note: GPS opens you up to a remote attack if someone has equipment to spoof
the signals. The CA signal format is public knowledge. The real signal is
already buried in the background noise.
-----Original Message-----
From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 11, 2000 11:12 AM
To: [EMAIL PROTECTED]
Cc: Ng, Kenneth (US); 'Sean Boyle'; Firewalls Mailing List
Subject: RE: Modems on Servers
[edit]
> Adding another layer may complicate matters: With a SecurID token card
> authentication, one has to setup the ACE server, setup users, set up NTP
> since SecurID relies on a reliable clock in order to sync with the Token.
I've never had to set up NTP for an ACE server. If I did, I'd probably
try to use GPS as the stratum-1 device. If you've got good hardware,
clock drift shouldn't be an issue, especially if you mandate a test on a
regular basis so the server can sync to the token.
Paul
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
