Why not just set it up on your existing server or servers and only let the traffic on
port 123 out! do not let any connection inbound to this server on any other port than
is needed. People will not query your server from outside so deny it. Allow Lan to
query port 123 to dmz in firewall so clients on the inside can get correct time.
-----Original Message-----
From: Jennifer Fountain [mailto:[EMAIL PROTECTED]
Sent: Tue 3/11/2003 8:32 PM
To: [EMAIL PROTECTED]
Cc:
Subject: NTP recommedations
I am currently looking into configuring my company's time servers. My initial
thoughts were setting up two or three in the dmz and configuring them to update their
time on a regular basis (haven't defined regular yet) and then install two or three
interal time servers that query these servers. I currently have a web server, reverse
proxy, ftp (blush embarrassed - going to be getting rid of THIS real soon), email,
ids, and two dns servers in the dmz. Someone has recommended to configure three of
these servers (web, dns, and email) as a time server. At first, I say - huh - no.
That would mean opening up two ports on each box and having a new set of potential
problems if i miss anying. But I am not an expert so I head to google searches and
you for guidance. Could anyone tell me their configuration or recommend a "good"
configuration for company time servers?
Thank you
Jenn
P.S If anyone is at SANS 2003, ping me if you are in track 3 :)
