22.5. Network Time Protocol (NTP)NTP allows you to set the clocks on your systems very accurately, to within 1 to 50 ms of the time on a central server. Knowing the exact time is extremely important for certain types of applications and protocols:
NTP is provided with several vendors' versions of Unix; a few vendors (notably Silicon Graphics) include services based on the older Time protocol instead of or in addition to NTP. NTP is not provided with Windows NT but is supported by timeserv, which is part of the Server Resource Kit.
By default, NTP does not include any authentication; as a result, it's easy for an attacker to forge packets with incorrect time settings. It's possible to use authentication starting in NTPv3, and you should do so.
22.5.1. Packet Filtering Characteristics of NTPNTP is a UDP-based service. NTP servers use well-known port 123 to talk to each other and to NTP clients. NTP clients use random ports above 1023. As with DNS, you can tell the difference between the following:
NTP servers may also talk to each other using broadcast or multicast; the multicast address 126.96.36.199 is reserved for this purpose.
Figure 22-1 shows how packet filtering works with NTP.
Figure 22-1. NTP with packet filtering
22.5.2. Proxying Characteristics of NTPAs a UDP-based application, NTP can't be proxied by SOCKS4 but can be used with the UDP Packet Relayer or SOCKS5. Because NTP employs a hierarchy of servers, it can be configured to run on a bastion host without using explicit proxying, as shown later in this chapter.
22.5.3. Network Address Translation Characteristics of NTPNTP does not use embedded IP addresses and will work transparently with network address translation.
22.5.4. Configuring NTP to Work with a FirewallDo you really need to configure NTP to work with a firewall? That's your first decision. You may not need to if either of the following cases is true at your site:
If you do want to run NTP across your firewall, the best way is to set up an NTP server on a bastion host that talks to multiple external NTP servers and another NTP server on some internal host that talks to the bastion host. (You want the bastion host to talk to multiple external NTP servers because it increases accuracy and makes it harder to fool.) Next, configure internal NTP clients and other internal NTP servers to talk to the internal server that talks to the bastion server. You need to configure any packet filtering system between the internal server and the bastion host to allow the following:
22.5.5. Summary of Recommendations for NTP
Copyright © 2002 O'Reilly & Associates. All rights reserved.