Date: Fri, 5 Jul 2002 22:41:26 -0600 From: "David G . Andersen" <danderse@cs.utah.edu> To: twig les <twigles@yahoo.com> Cc: Brian Reichert <reichert@numachi.com>, Kim Okasawa <kimokasawa@hotmail.com>, _@r4k.net, freebsd-security@FreeBSD.ORG Subject: Re: NTP security - (was Any security issues with root's cron job?) Message-ID: <20020705224126.A23004@cs.utah.edu> In-Reply-To: <20020706032916.35363.qmail@web10105.mail.yahoo.com>; from twigles@yahoo.com on Fri, Jul 05, 2002 at 08:29:16PM -0700 References: <20020705161934.E259@numachi.com> <20020706032916.35363.qmail@web10105.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
twig les just mooed: > The way we skirt the issue of having our own secure > source is to get our border routers to poll a couple > of servers on the internet and then the servers can > poll them. There are a number of possible attacks on > this, but we're not getting 20 grand for our own > source anytime soon and at least this way we can > pin-hole the access-lists. And since we're running > beefy border routers, any DoS based on amount of > traffic would be less likely to work. > > I'm open to ideas. 20 grand? Fear that. If you go for a cheap-o solution, you can do it for ~$400. If you want a plug-and-go solution, I'd suggest: - For about $1000, buy a Praecis Ct from EndRun Technologies http://www.endruntechnologies.com/ I have about 15 of them deployed right now. They pick GPS time from the CDMA cellular network. You can get 10 microsecond time inside of most machine rooms, without an external antenna. (If your cell phone works there, this probably will). US only Emulates a Trimble Palisade, plays very well with ntpd, requires no kernel changes. - For less than that, buy an Oncore UT+ eval kit from Synergy GPS (http://www.synergy-gps.com/) You want the UT+, not the other models, because this one's optimized for timekeeping. Has all the features you'll want, plays well with ntpd. For best results, requires options PPS_SYNC Works worldwide, requires antenna placement with a decent view of the sky. Once it's found itself, though, the UT+ can keep time with very few satellites, a definite bonus. I have several of each of these in a "production" network (well, a production distributed testbed), and I really like them both. The UT+ took a bit more work to set up, but if you get one, send me a note, and I'll mail you the configuration stuff. It's really quite simple overall. The EndRun boxes simply kick butt for use in the US. With all of these, however, you'll still want to peer with some external timeservers as a sanity check. I've had one occurrence when the cellular network was broadcasting bad time. It was fixed within an hour of when I reported it (it breaks hand-off), and Verizon said it was the only one of their cellular towers that was off, but it does happen. If you're doubly paranoid, do said sanity checking with a source that'll do authentication with you. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020705224126.A23004>