On Mon, Aug 2, 2010 at 12:27 PM, Terje Mathisen <"terje.mathisen at tmsw.no"@ntp.org> wrote: > unruh wrote: >> >> On 2010-08-02, konsu<[email protected]> wrote: >>> >>> Thanks for your answers. Actually I do not know what are the criteria >>> to consider in deciding time requirements. This is a bank , we will >>> deploy VOIP soon and we have some dealers connected to reuters >>> network {I am checking whether they have their own time sync}....so >>> for the rest, I do not see any reason why synchronization to the >>> internet would be an issue. >> >> BEcause financial transactions are often time sensitive. It would be >> embarassing if your clocks were 7 hours off, and some crooks knew this. >> I suspect you could be thoroughly defrauded if that were the case. > > Much worse: > > If you have any kind of trading department, then it is almost certainly a > requirement to have an auditable UTC clock reference.
Even if you don't have a trading desk, you are still likely bound by PCI requirements for servicing debit and credit card transactions. These apply to all systems within the card data environment (which is essentially everything that can access a system where card data is held, no matter how indirectly.) The relevant audit questions are in section 10.4: 10.4 Synchronize all critical system clocks and times Obtain and review the process for acquiring and distributing the correct time within the organization, as well as the time-related system-parameter settings for a sample of system components, critical servers, and wireless access points. Verify the following is included in the process and implemented: 10.4.a Verify that NTP or similar technology is used for time synchronization 10.4.b Verify that internal servers are not all receiving time signals from external sources. [Two or three central time servers within the organization receive external time signals [directly from a special radio, GPS satellites, or other external sources based on International Atomic Time and UTC (formerly GMT)], peer with each other to keep accurate time, and share the time with other internal servers.] 10.4.c Verify that the Network Time Protocol (NTP) is running the most recent version 10.4.d Verify that specific external hosts are designated from which the time servers will accept NTP time updates (to prevent an attacker from changing the clock). Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the NTP service (to prevent unauthorized use of internal time servers). See www.ntp.org for more information" > I suggest you do as Rob and David suggest, i.e. get yourself one or more > GPS-based Stratum 1 clocks, then define 4-6 primary servers which use > this/these GPS clocks plus a few internet servers as backup. Agreed. This is really a must-have for any financial services organization, and has been for a very long time. Once upon a time the mainframes dialed direct into NIST or USNO, but now internally managed, NTP-accessed GPS units (with redundancy) are all I have seen in the last decade. -- RPM _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
