Re: NTP in DMZ

Rajeev Kumar Fri, 21 Sep 2001 10:43:40 -0700
Frank,
        It looks like you really don't want to open any hole in your firewall to 
allow your DMZ hosts talk to remote NTP servers. Which is really hard 
situation I would say.

-> If you allow DMZ hosts to connect  to your FIREWALL using as NTP server : 
Yes that is possible for host to act as NTP client and server at the same 
time.  (ntp/119)

-> You do rdate. Which means you have to be  running time service tcp/37 port.

In both cases you have to allow DMZ hosts to connect (TCP/UDP) to firewall. 
In general people won't do that. Assuming DMZ hosts are much more vulnerable 
and if somebody exploit those then they can be used against your Firewall  as 
DMZ host can connect  to Firewall(directly) on above mentioned port.

What I could think in your case. Place NTP servers in DMZ itself. i.e Allow 
DMZ servers to talk to external NTP servers (usually you need 3 external NTP 
servers for relaiable time sync., generally NTP servers are no big load on 
servers).  We generally do this to sync time on external routers.

Hope this helps.

Rajeev



On Friday 21 September 2001 12:22, Frank Neumann wrote:
> Hi folks,
>
> just wanted to know your opinion on how to synchronize the clocks of my
> DMZ servers.
> Assume we have a hierarchy of NTP servers in our internal net. I could
> imagine two scenarios:
>
> First) The firewall acts as an NTP client on its internal NIC and as an
> NTP server on its DMZ NIC (assumed the NTP software is capable of doing
> so).
> Second) The firewall acts as an NTP client on its internal NIC and the
> DMZ servers regularly(e.g. weekly) synchronize their clocks to the
> firewall's clock using rdate.
>
> Do you have any other ideas? What would you prefer?
>
> Thanks,
> Frank
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls

-- 
********************************************************************
        Rajeev Kumar ([EMAIL PROTECTED])
                http://www.rajeevnet.com
********************************************************************
-- PGP PUBLIC KEY -- http://www.rajeevnet.com/crypto/mypubkey
********************************************************************
What's New on rajeevnet.com:
o Unix/Windows password Sync: 
    http://www.rajeevnet.com/linux/passwd_sync/passwd_sync.html
o Wonders of 'dd' and 'netcat' :: Cloning Operating Systems
    http://www.rajeevnet.com/hacks_hints/os_clone/os_cloning.html
********************************************************************
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
Re: NTP in DMZ

Reply via email to
