Need trusted NTP Sources

-------- Oorspronkelijk bericht --------

Hi Alexander,

I think you or your consultant may have an overly strict reading of the PCI documents.
Looking at section 10.4 of PCI DSS 3.0, and from having gone through PCI a few times...
If you have your PCI hosts directly going against or similar, then you are not in compliance.

My understanding is that you need to:

A) Run a local set of NTP servers - these are your 'trusted' servers, under your control, properly managed/secured, fully meshed, etc.
These in turn (section 10.4.3) can get their time from 'industry-accepted time sources'.

B) The rest of your PCI infrastructure in turn uses these NTP servers and only these NTP servers.

- Michael DeMan

I'm not sure if full-mesh is best practice, the external clients should have
full view of as close to source data as possible.
If in full-mesh you're already masking the data with inaccuracy, giving the
clients less information to make decision?

We used to have full-mesh in our meinbergs, until from their recommendation we
removed it completely. It makes sense to me, but I don't understand the issue

This doesn't address the full-mesh part, but this discussion suggests at
least four servers, but better to have five.