Hi Alexander, I think you or your consultant may have an overly strict reading of the PCI documents. Looking at section 10.4 of PCI DSS 3.0, and from having gone through PCI a few times... If you have your PCI hosts directly going against ntp.org or similar, then you are not in compliance. My understanding is that you need to: A) Run a local set of NTP servers - these are your 'trusted' servers, under your control, properly managed/secured, fully meshed, etc. These in turn (section 10.4.3) can get their time from 'industry-accepted time sources'. B) The rest of your PCI infrastructure in turn uses these NTP servers and only these NTP servers. - Michael DeMan On Feb 6, 2014, at 2:27 AM, Alexander Maassen <outsider@scarynet.org> wrote:
www.pool.ntp.org
-------- Oorspronkelijk bericht -------- Van: Notify Me <notify.sina@gmail.com> Datum: Aan: "nanog@nanog.org list" <nanog@nanog.org>,afnog@afnog.org Onderwerp: Need trusted NTP Sources
Hi !
I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). Being located in Nigeria, Africa, I'm not very knowledgeable about trusted sources therein.
Please can anyone help with sources that wouldn't mind letting us sync from them?
Thanks a lot!