Need trusted NTP Sources

Notify_Me · February 6, 2014, 10:03am

Hi !

I'm trying to help a company I work for to pass an audit, and we've
been told we need trusted NTP sources (RedHat doesn't cut it). Being
located in Nigeria, Africa, I'm not very knowledgeable about trusted
sources therein.

Please can anyone help with sources that wouldn't mind letting us sync
from them?

Thanks a lot!

Nick_Hilliard3 · February 6, 2014, 10:43am

So presuming that your company is using RH or Fedora or CentOS something,
the auditors are claiming that Red Hat, Inc is trusted enough to provide a
precompiled based operating system with no feasible means of proving its
reliability, but that they're not trustworthy enough to provide a clock
synchronisation service?

My head spins.

Get new auditors. Your current ones are stupid.

Nick

Notify_Me · February 6, 2014, 11:46am

We're a redhat shop, and we use redhat auth which by default uses redhat
NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands.

Notify_Me · February 6, 2014, 11:51am

According to the auditors, "trusted" means

1. Universities or Research facilities (nuclear/atomic facilities,
space research (such as NASA) etc.)
2. Main country internet/telecom providers
3. Government departments
4. Satellites (using GPS module)

Which is a bit of a tall order over here.

Nick_Hilliard3 · February 6, 2014, 12:09pm

We're a redhat shop, and we use redhat auth which by default uses redhat
NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands.

PCI DSS states:

10.4.3 Time settings are received from industry-accepted time sources.

The default RHEL time servers are defined as X.rhel.ntp.org. Many people
would consider ntp.org as industry-accepted, and there are several PCI-DSS
auditing companies out there who explicitly recommend using pool.ntp.org
for this purpose.

If that's not good enough, the PCI DSS standards explicitly state in the
NTP interpretation section:

More information on NTP can be found at www.ntp.org, including
information about time, time standards, and servers.

So, if PCI themselves view ntp.org as being authoritative about NTP I can't
see any reason why the time servers they publish wouldn't pass an audit.

Nick

Aled_Morris2 · February 6, 2014, 12:11pm

GPS time sources are pretty cheap (< US$500) and easy to set up nowadays.

You could probably build your own for less that US$100:
http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html

Aled

Mark_Milhollan2 · February 6, 2014, 12:57pm

In general you should probably be asking <news:comp.protocols.time.ntp>.

You could run your own NTP server using GPS as its reference clock (#4),
at least I don't think it would be impossible for you to obtain such a
device. But not cheap either. But then RHEL and an audit suggest you
have some money to spend. You might even build your own using ntpd and
a receiver, e.g., GNSS. See
<http://www.eecis.udel.edu/~mills/ntp/index.html> for more information.

Some stratum 1 or 2 servers (which are generally run by entities 1 thru
3 from your list) may allow you to obtain time (perhaps using crypto),
but of course you'd need to contact them directly. ntp.org has a list:
<http://support.ntp.org/bin/view/Servers/WebHome>.

Generally speaking, you'll need at least 3 sources if you want stablity.

Mark

Chris_Adams2 · February 6, 2014, 2:35pm

Once upon a time, Nick Hilliard <nick@foobar.org> said:

So presuming that your company is using RH or Fedora or CentOS something,
the auditors are claiming that Red Hat, Inc is trusted enough to provide a
precompiled based operating system with no feasible means of proving its
reliability, but that they're not trustworthy enough to provide a clock
synchronisation service?

Red Hat does not provide an NTP service themselves. The default NTP
config on a Red Hat Enterprise Linux system uses rhel.pool.ntp.org.

I suppose some auditor could dislike the "openness" of pool.ntp.org
(basically anybody can join). If that is the case, your best bet is to
do some combination of the following:

- As others have suggested, set up your own stratum-1 clock (can be done
for around $100). Ideally you'd set up more than one.

- Set up several servers with a static set of NTP servers rather than
  the general pool servers. See the lists on www.pool.ntp.org; look
  under the docs for setting up a server to join the pool. You don't
  have to actually join the pool, but following those docs is a good way
  to set up a stable server.

After that, point the rest of your servers at your "master" servers,
rather than the public pool.

Larry_Sheldon · February 6, 2014, 2:58pm

It has been a while since I have done anything with NTP, but I would start
with ntp.org (which didn't exist when I WAS working with it) which I am led
to believe has the stuff that used to be at U. Delaware, like the public
servers lists:

WebHome < Servers < Network Time Foundation's NTP Support Wiki

Where I found PublicTimeServer000079 < Servers < Network Time Foundation's NTP Support Wiki

Larry_Sheldon · February 6, 2014, 3:02pm

After all these years I still can not get used to the non-standard NANOG response to "reply". I wonder if there is a way for ne to fix that locally.

Larry_Sheldon · February 6, 2014, 3:10pm

If it was me (having made a living getting with auditors who had no idea what they were doing) I would look for some close-by reliable (my judgement) 1- and 2- level sources (including, usually) the router at the ISP that I talk-to to get good service then add one or two the auditor likes.

Larry (long time responder-to-audits that demanded that my UNIVAC and HP hardware and software look like IBM)

Chris_Keladis · February 6, 2014, 7:21pm

I'm trying to help a company I work for to pass an audit, and we've

been told we need trusted NTP sources (RedHat doesn't cut it). Being
located in Nigeria, Africa, I'm not very knowledgeable about trusted
sources therein.

Obviously "trusted" time sources are important, but at the end of the day
you have to trust someone who ultimately has the least risk (there is never
no risk) you are able to achieve.

I appreciate "least level of risk" is subjective to your auditors opinion
(in this case)

Just wanted to mention, having a good number of servers (not blindly
trusting <= 3 unique sources) adds some additional protection against
'false-tickers'.

Even "trusted" time-sources have their off-days due to a myriad of
technical reasons.

Configure multiple, relatively high stratum (taking into account how many
stratum's you intend to serve downstream), low-jitter/rtt, good-quality,
time-sources.

Also, risk changes over time, so vigilant monitoring is important too!

Regards,

Chris.

Jay_Ashworth · February 7, 2014, 2:14am

My usual practice is to set up two in house servers, each of which
talks to:

time.windows.com
time.apple.com
and one of the NIST servers

0.us.pool.ntp.org
1.us.pool.ntp.org
2.us.pool.ntp.org

and each other.

And then point everyone in house to both of them, assuming they accept
multiple server names.

But I am young, and not much travelled.

Cheers,
-- jra

Jay_Ashworth · February 7, 2014, 2:24am

Noo!!! Everybody!!! Don't reply to that!!!

Mailing lists aren't *supposed* to set Reply-To, Larry; your mail client is
supposed to have a Reply To List command. Most "consumer" MUAs, of course,
don't.

Reply-All is a (usually) winked-upon subterfuge, or you can do like I
do and just manually readjust the To header when you reply to the list.

Just don't do what I do and accidentally set it to NANOG when you're
replying to a different list's message.

Cheers,
-- jra

Saku_Ytti1 · February 7, 2014, 11:35am

Two is worst possible amount of NTP servers to have. Either one fails and your
timing is wrong, because you cannot vote false ticker. And chance of either of
two failing is higher than one specific of them.

James_Hess · February 7, 2014, 12:38pm

+1 to having at least 3 NTP servers.
Because complete outage is only one kind of failure.

Don't forget poor performance due to high latency, or
Server X emitting corrupted or inaccurate data

Roy1 · February 7, 2014, 3:23pm

"A man with a watch knows what time it is. A man with two watches is never sure."

Matthew_Huff · February 7, 2014, 3:56pm

Working in the financial world, the best practices is to have 4 ntp servers (if not using PTP).

1) You need 3 to determine the correct time (and detect bad tickers)
2) If you lose 1 of the 3 above, then you no longer can determine the correct time
3) Therefore with 4, you have redundancy.

We have two Symmetricom Stratum 1 time servers synced via GPS with Rubidium oscillators, and two RHEL 6 servers running ntpd for our 4 servers.

Jared_Mauch · February 7, 2014, 6:14pm

Having a number of NTP servers will help you detect false tickers which may be critical.

If you want something that is "cheap" as in you for your home, I can recommend this: ~$350 w/ antenna, etc..

http://www.netburnerstore.com/product_p/pk70ex-ntp.htm

You can get the whole thing going quickly. Majdi has also had good luck with this unit (perhaps he wants to chime-in, heh pun unintended) regarding a few other devices.

If you ask politely off-list, I will point you at where one of these is that you can talk to (in Dallas at the Infomart for your low-latency config).

- Jared

Anthony_Williams · February 7, 2014, 8:32pm

With a quick and easy mod, another option for $35 is a Sure Electronics
GPS board.

GPS: http://www.sureelectronics.net/goods.php?id=99

Mod: http://www.satsignal.eu/ntp/Sure-GPS.htm

-Alby