Re: Need trusted NTP Sources
www.pool.ntp.org -------- Oorspronkelijk bericht -------- Van: Notify Me <notify.sina@gmail.com> Datum: Aan: "nanog@nanog.org list" <nanog@nanog.org>,afnog@afnog.org Onderwerp: Need trusted NTP Sources Hi ! I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). Being located in Nigeria, Africa, I'm not very knowledgeable about trusted sources therein. Please can anyone help with sources that wouldn't mind letting us sync from them? Thanks a lot!
Hi Alexander, I think you or your consultant may have an overly strict reading of the PCI documents. Looking at section 10.4 of PCI DSS 3.0, and from having gone through PCI a few times... If you have your PCI hosts directly going against ntp.org or similar, then you are not in compliance. My understanding is that you need to: A) Run a local set of NTP servers - these are your 'trusted' servers, under your control, properly managed/secured, fully meshed, etc. These in turn (section 10.4.3) can get their time from 'industry-accepted time sources'. B) The rest of your PCI infrastructure in turn uses these NTP servers and only these NTP servers. - Michael DeMan On Feb 6, 2014, at 2:27 AM, Alexander Maassen <outsider@scarynet.org> wrote:
www.pool.ntp.org
-------- Oorspronkelijk bericht -------- Van: Notify Me <notify.sina@gmail.com> Datum: Aan: "nanog@nanog.org list" <nanog@nanog.org>,afnog@afnog.org Onderwerp: Need trusted NTP Sources
Hi !
I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). Being located in Nigeria, Africa, I'm not very knowledgeable about trusted sources therein.
Please can anyone help with sources that wouldn't mind letting us sync from them?
Thanks a lot!
On (2014-02-06 07:24 -0800), Michael DeMan wrote:
A) Run a local set of NTP servers - these are your 'trusted' servers, under your control, properly managed/secured, fully meshed, etc.
I'm not sure if full-mesh is best practice, the external clients should have full view of as close to source data as possible. If in full-mesh you're already masking the data with inaccuracy, giving the clients less information to make decision? We used to have full-mesh in our meinbergs, until from their recommendation we removed it completely. It makes sense to me, but I don't understand the issue deeply. -- ++ytti
This doesn't address the full-mesh part, but this discussion suggests at least four servers, but better to have five. http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers#Section_5 .3.3. Frank -----Original Message----- From: Saku Ytti [mailto:saku@ytti.fi] Sent: Thursday, February 06, 2014 10:34 AM To: nanog@nanog.org Subject: Re: Need trusted NTP Sources On (2014-02-06 07:24 -0800), Michael DeMan wrote:
A) Run a local set of NTP servers - these are your 'trusted' servers, under your control, properly managed/secured, fully meshed, etc.
I'm not sure if full-mesh is best practice, the external clients should have full view of as close to source data as possible. If in full-mesh you're already masking the data with inaccuracy, giving the clients less information to make decision? We used to have full-mesh in our meinbergs, until from their recommendation we removed it completely. It makes sense to me, but I don't understand the issue deeply. -- ++ytti
participants (4)
-
Alexander Maassen -
Frank Bulk -
Michael DeMan -
Saku Ytti