From owner-freebsd-security  Fri Jul  5 20:29:22 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D33EA37B400
	for <freebsd-security@freebsd.org>; Fri,  5 Jul 2002 20:29:16 -0700 (PDT)
Received: from web10105.mail.yahoo.com (web10105.mail.yahoo.com [216.136.130.55])
	by mx1.FreeBSD.org (Postfix) with SMTP id 940F543E09
	for <freebsd-security@freebsd.org>; Fri,  5 Jul 2002 20:29:16 -0700 (PDT)
	(envelope-from twigles@yahoo.com)
Message-ID: <20020706032916.35363.qmail@web10105.mail.yahoo.com>
Received: from [68.5.49.41] by web10105.mail.yahoo.com via HTTP; Fri, 05 Jul 2002 20:29:16 PDT
Date: Fri, 5 Jul 2002 20:29:16 -0700 (PDT)
From: twig les <twigles@yahoo.com>
Subject: NTP security - (was Any security issues with root's cron job?)
To: Brian Reichert <reichert@numachi.com>,
	Kim Okasawa <kimokasawa@hotmail.com>
Cc: _@r4k.net, freebsd-security@freebsd.org
In-Reply-To: <20020705161934.E259@numachi.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

The way we skirt the issue of having our own secure
source is to get our border routers to poll a couple
of servers on the internet and then the servers can
poll them.  There are a number of possible attacks on
this, but we're not getting 20 grand for our own
source anytime soon and at least this way we can
pin-hole the access-lists.  And since we're running
beefy border routers, any DoS based on amount of
traffic would be less likely to work.

I'm open to ideas.


--- Brian Reichert <reichert@numachi.com> wrote:
> On Sat, Jul 06, 2002 at 05:07:06AM +0900, Kim
> Okasawa wrote:
> > >From: Stephanie Wehner <_@r4k.net>
> > >To: Kim Okasawa <kimokasawa@hotmail.com>
> > >Subject: Re: Any security issues with root's cron
> job?
> > >Date: Wed, 3 Jul 2002 16:48:37 +0200
> > >
> > >Hi Kim,
> > >
> > > > Can anyone think of any potential security
> risks to such practice?  > 
> > >Any suggestions and comments are greatly
> appreciated.  Thank you!
> > >
> > >Not from the cronjob directly, however why would
> you want to change
> > >your ipfw rule set according to time ?
> > >
> > >What I would check in this case is how your
> machine keeps time,
> > >eg it must be rather accurate. Also, by getting
> timing information
> > >from a remote ntp server for example would then
> mean you place your
> > >firewall rules pretty much into their hands.
> > >
> > 
> > Hi Stephenie:
> > 
> > Good thinking.  You are absolutely right!  The
> time should be rather 
> > accurate in order for this to function correctly. 
> How about letting the 
> > server to run its ntp service?  Clients who want
> to access to the server 
> > would have to sync with it if necessary.  But this
> means that the firewall 
> > needs to open the ntp port and may create other
> problems.
> 
> You don't _need_ a NTP server on your vault if you
> have access to
> one that you trust.  I feel that most institutions
> should set up a
> peered set of stratum-3 servers, out of hand, and
> sync internal
> hosts to those; this cuts down on network traffic,
> if nothing else.
> 
> (You could even force them to use your time
> server(s) via divert.)
> 
> If your vault is to merely be an NTP client, then it
> will poll your
> time server(s); you can firewall out spoofed
> replies.
> 
> If your time server is also to be a NTP server, then
> it will need
> to be able to serve requests from your LAN.
> 
> These are both easily locked down via ipfw.
> 
> > 
> > What I want is to create a virtual timed vault
> that only allow the world to 
> > access to certain services within a specific
> period of time.  In my case, 
> > some services/ports don't need to be available to
> the public from 8PM-8AM.  
> > Closing those ports may mean less troubles.
> > 
> > Any suggestion on how to deal with the ntp
> problem?  Thanks.
> > 
> > Best Regards,
> > Kim
> > 
> > 
> >
>
_________________________________________________________________
> > MSN Photos is the easiest way to share and print
> your photos: 
> > http://photos.msn.com/support/worldwide.aspx
> > 
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of
> the message
> > 
> 
> -- 
> Brian 'you Bastard' Reichert		<reichert@numachi.com>
> 37 Crystal Ave. #303			Daytime number: (603)
> 434-6842
> Derry NH 03038-1713 USA			Intel architecture: the
> left-hand path
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of
> the message


=====
-----------------------------------------------------------
All warfare is based on deception.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message