On 8/2/2010 5:52 PM, Ryan Malayter wrote: > On Mon, Aug 2, 2010 at 12:27 PM, Terje Mathisen <"terje.mathisen at > tmsw.no"@ntp.org> wrote: >> unruh wrote: >>> >>> On 2010-08-02, konsu<[email protected]>  wrote: >>>> >>>> Thanks for your answers. Actually I do not know what are the criteria >>>> to consider in deciding time requirements. This is a bank , we will >>>> deploy VOIP soon and we have some dealers connected to reuters >>>> network  {I am checking whether they have their own time sync}....so >>>> for the rest, I do not see any reason why synchronization to the >>>> internet would be an issue. >>> >>> BEcause financial transactions are often time sensitive. It would be >>> embarassing if your clocks were 7 hours off, and some crooks knew this. >>> I suspect you could be thoroughly defrauded if that were the case. >> >> Much worse: >> >> If you have any kind of trading department, then it is almost certainly a >> requirement to have an auditable UTC clock reference. > > Even if you don't have a trading desk, you are still likely bound by > PCI requirements for servicing debit and credit card transactions. > These apply to all systems within the card data environment (which is > essentially everything that can access a system where card data is > held, no matter how indirectly.) The relevant audit questions are in > section 10.4:
Ryan can you please give quote the reference to this document? You didn't include it. You also didn't state in what jurisdiction this is valid. Thanks, Danny > > 10.4 Synchronize all critical system clocks and times > Obtain and review the process for acquiring and distributing the > correct time within the organization, as well as the time-related > system-parameter settings for a sample of system components, critical > servers, and wireless access points. Verify the following is included > in the process and implemented: > > 10.4.a Verify that NTP or similar technology is used for time synchronization > > 10.4.b Verify that internal servers are not all receiving time signals > from external sources. [Two or three central time servers within the > organization receive external time signals [directly from a special > radio, GPS satellites, or other external sources based on > International Atomic Time and UTC (formerly GMT)], peer with each > other to keep accurate time, and share the time with other internal > servers.] > > 10.4.c Verify that the Network Time Protocol (NTP) is running the most > recent version > > 10.4.d Verify that specific external hosts are designated from which > the time servers will accept NTP time updates (to prevent an attacker > from changing the clock). Optionally, those updates can be encrypted > with a symmetric key, and access control lists can be created that > specify the IP addresses of client machines that will be provided with > the NTP service (to prevent unauthorized use of internal time > servers). > See www.ntp.org for more information" > >> I suggest you do as Rob and David suggest, i.e. get yourself one or more >> GPS-based Stratum 1 clocks, then define 4-6 primary servers which use >> this/these GPS clocks plus a few internet servers as backup. > > Agreed. This is really a must-have for any financial services > organization, and has been for a very long time. Once upon a time the > mainframes dialed direct into NIST or USNO, but now internally > managed, NTP-accessed GPS units (with redundancy) are all I have seen > in the last decade. > _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
