Re: NTP over several firewalls
From: Richard H Miller (rick_at_bcm.tmc.edu)
Date: 09/09/03
- Next message: Charles Newman: "Re: Using a home T-1 line to evade company filtering"
- Previous message: Fredric L. Rice: "Re: alt.* can't be "off topic" (Was: Hackers Secret Weapons - Virtual Private Networks)"
- In reply to: nebula: "NTP over several firewalls"
- Next in thread: nebula: "Re: NTP over several firewalls"
- Reply: nebula: "Re: NTP over several firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 9 Sep 2003 19:34:58 GMT
nebula (donotemailme@nowhere.com) wrote:
: Hi all,
: I have a question that creates a continious discussion in our organisation
: and I would like to hear your view on it.
: We have a network looking like:
: Internet --> firewall --> DMZ -- firewall2 --> backend --> firewall 3
: --> internal network.
: Each network is divided in several vlans. What I offer to do for NTP is as
: follows:
: Place a NTP server on the internal network, backend and dmz
: Let synchronization goes as follows: dmz ntp server --> backend ntp
: server --> internal ntp server. Let all hosts in a network sync with their
: network ntp server. So DMZ hosts to DMZ ntp and so on. One
: exception: Routers on the internet will sync to the DMZ NTP server too.
: Now, one of my co-workers wants the hosts to sync their time with the
: firewalls, so we do not need to deploy these servers (except for one which
: will have the atom clock connected to it). Personally I find that
: connections directed to the firewall should be limited to management of
: authentication connections. How do you guys/girls see this?
You are correct. Your design is appropriate [you may wish to cut down on the
number of timeserver by placing one in the DMZ and an internal one setting up the rules to
allow all of your systems to NTP to them and the internal NTP servers would only sync with
the DMZ server and the DMZ server is the only device to do NTP to the internet.
You actually want your firewalls [if possible] to sync to the internal DMZ server. [This would
be the one exception to not running services on the firewalls; you need to do this for any
type of log sync or correlation with other events].
Servers *should not* time sync with the firewalls. You are correct that the only connections
directed to the firewall should be for its care and feeding.
rick
Richard H. Miller, MCSE, CCSE
Information Security Manager
Information Technology Security and Compliance
Information Technology - Baylor College of Medicine
- Next message: Charles Newman: "Re: Using a home T-1 line to evade company filtering"
- Previous message: Fredric L. Rice: "Re: alt.* can't be "off topic" (Was: Hackers Secret Weapons - Virtual Private Networks)"
- In reply to: nebula: "NTP over several firewalls"
- Next in thread: nebula: "Re: NTP over several firewalls"
- Reply: nebula: "Re: NTP over several firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
