From owner-freebsd-security Fri Jul 5 21:41:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6421C37B47B for ; Fri, 5 Jul 2002 21:41:35 -0700 (PDT) Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E63743E3B for ; Fri, 5 Jul 2002 21:41:34 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from famine.cs.utah.edu (famine.cs.utah.edu [155.99.198.114]) by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id g664fQD16545; Fri, 5 Jul 2002 22:41:26 -0600 (MDT) Received: by famine.cs.utah.edu (Postfix, from userid 2146) id 28D4323A77; Fri, 5 Jul 2002 22:41:26 -0600 (MDT) Date: Fri, 5 Jul 2002 22:41:26 -0600 From: "David G . Andersen" To: twig les Cc: Brian Reichert , Kim Okasawa , _@r4k.net, freebsd-security@FreeBSD.ORG Subject: Re: NTP security - (was Any security issues with root's cron job?) Message-ID: <20020705224126.A23004@cs.utah.edu> References: <20020705161934.E259@numachi.com> <20020706032916.35363.qmail@web10105.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20020706032916.35363.qmail@web10105.mail.yahoo.com>; from twigles@yahoo.com on Fri, Jul 05, 2002 at 08:29:16PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org twig les just mooed: > The way we skirt the issue of having our own secure > source is to get our border routers to poll a couple > of servers on the internet and then the servers can > poll them. There are a number of possible attacks on > this, but we're not getting 20 grand for our own > source anytime soon and at least this way we can > pin-hole the access-lists. And since we're running > beefy border routers, any DoS based on amount of > traffic would be less likely to work. > > I'm open to ideas. 20 grand? Fear that. If you go for a cheap-o solution, you can do it for ~$400. If you want a plug-and-go solution, I'd suggest: - For about $1000, buy a Praecis Ct from EndRun Technologies http://www.endruntechnologies.com/ I have about 15 of them deployed right now. They pick GPS time from the CDMA cellular network. You can get 10 microsecond time inside of most machine rooms, without an external antenna. (If your cell phone works there, this probably will). US only Emulates a Trimble Palisade, plays very well with ntpd, requires no kernel changes. - For less than that, buy an Oncore UT+ eval kit from Synergy GPS (http://www.synergy-gps.com/) You want the UT+, not the other models, because this one's optimized for timekeeping. Has all the features you'll want, plays well with ntpd. For best results, requires options PPS_SYNC Works worldwide, requires antenna placement with a decent view of the sky. Once it's found itself, though, the UT+ can keep time with very few satellites, a definite bonus. I have several of each of these in a "production" network (well, a production distributed testbed), and I really like them both. The UT+ took a bit more work to set up, but if you get one, send me a note, and I'll mail you the configuration stuff. It's really quite simple overall. The EndRun boxes simply kick butt for use in the US. With all of these, however, you'll still want to peer with some external timeservers as a sanity check. I've had one occurrence when the cellular network was broadcasting bad time. It was fixed within an hour of when I reported it (it breaks hand-off), and Verizon said it was the only one of their cellular towers that was off, but it does happen. If you're doubly paranoid, do said sanity checking with a source that'll do authentication with you. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message