NTP Server(s)

We are currently using a single NTP server that resides in our DMZ that responds to NTP queries from internal users (it's actually two that are setup with round-robin DNS). However this NTP server does not need to respond to NTP queries from the internet. When I mentioned that it should probably be moved to our internal network segment I had someone in our organization say that it is a Cisco Best Practice to have your NTP server in your DMZ.

I have always had the belief that if a server or service does not need to be accessed from the "Public" side then you do not put it in a DMZ and assign it a public IP address. When I mentioned then I was given a statement that ALL fortune 200 companies do it that way.

Can anyone tell me if Cisco does have a Best Practice for NTP servers and if so can you provide a link to it???

Any suggestions/comments would be greatly appreciated!

Pat G.

Pat,

It sounds as if personal opinions (both yours and another engineer) disagree about a trivial matter.

Having worked for at least one of the fortune 200 companies you mentioned and worked in the Cisco networking world for over 10 years, I've never placed the NTP server in a DMZ. So in this instance, I would have to agree with you.

However...

The purpose for placing something behind a firewall (in a DMZ) is to secure it. But NTP *is* secure. And if someone finds a security flaw in NTP, it would be worth placing it behind a firewall, then allow ONLY known hosts to access it only on the necessary port (UDP 123).

If the NTP server is more than **just** a NTP server, - like running on ANY Operating System (Linux, Solaris, Windows, MacOS, etc.) then you *should* place it in the DMZ - simply because of the insecure nature of the OS. - But fortune 200 companies would use dedicated NTP appliance such as the ones from TrueTime.

Who cares where it is. Yes, it will cause extra work because of it's placement behind the firewall. - But it isn't that hard.

My guess is that your NTP server is not an appliance - and there's really nothing wrong with that. But put it in the DMZ.

Let your ego go, it'll make you a much better engineer in the long run.

Good luck. JC

If we have a NTP server in the DMZ, how do we update clocks for systems in perimeter (routers,switches, 1st layer of firewalls, IPS etc) . My dmz is in second layer of firewall.

How about configuring perimeter router as NTP master and then synchronising all perimeter devices with this router through authentication and access lists.

And then having another NTP master for internal systems to synchronize clocks for WAN routers and other internal systems including switches, routers etc

Is this advisable ?

I work for a Fortune 500 company and from talking with our Cisco sales engineer, the following setup is pretty much the norm in most large enterprises.

First, you would purchase multiple NTP appliances (such as TrueTime mentioned by the previous poster) and have them sync using GPS and thus be a stratum 1 NTP servers with no internet access required. You would install three of them at three different geographic locations. You would then configure your primary devices to sync to all of the them. Only one will be used, but if one of them goes flaky, NTP is smart enough to figure out which one is "off" if you have at least 3 configured sources. If you have only one NTP server and it goes bad, time will be off on your entire network. Since everything will synced together this is not necessarily a bad thing. If you have two NTP servers and one of them goes flaky, half the devices will think the good one is good, and the other half will thing the bad one is good. If you have three, and one goes bad, everything will sync to one of the two good ones.

In our organization, we have three TrueTime NTP-200's and the primary domain controllers for AD sync to them, multiple NDS servers, the mainframe and other unix servers. All of the PC clients sync to the AD domain controllers or the NDS servers. We have three routers that sync to the NTP servers and have all of our network devices sync to those three routers. The NTP servers are on the internal network and our firewall between the DMZs and the internal network allow NTP between the them. No NTP is permitted to/from the internet. Our Internet routers in front of the firewall sync to

3 publicly accessible NTP servers on the internet. We have been running this scenario for about 10 - 12 years without any issues. The TrueTime servers were last replaced about 3 years ago because they almost 10 years old and we figured we needed a refresh.

Scott

The same way you would if it weren't if the DMZ.

Can you define What do you consider to be "second layer of firewall"?

i have multiple layers of firewall where the 1st layer takes care of natting and is assigned with public ip's

my 2nd layer of firewall is having some DMZ zones where we have kept some db servers, web servers etc . i have some routers also connected to this firewall. Each of these systems are in seperate logical interfaces with diff sec levels.

I was planning to configure my perimeter router as NTP master and other systems in my perimeter like 1st layer firewall, IPS, perimeter switches all to synchronize time with my perimeter router.

For the 2nd layer firewall and other systems i will have an internal core witch that acts as ntp master to sync clock.

Is it recommended ? what are the security implications with this ?