-------- Oorspronkelijk bericht --------
Hi Alexander,
I think you or your consultant may have an overly strict reading of the PCI documents.
Looking at section 10.4 of PCI DSS 3.0, and from having gone through PCI a few times...
If you have your PCI hosts directly going against ntp.org or similar, then you are not in compliance.
My understanding is that you need to:
A) Run a local set of NTP servers - these are your 'trusted' servers, under your control, properly managed/secured, fully meshed, etc.
These in turn (section 10.4.3) can get their time from 'industry-accepted time sources'.
B) The rest of your PCI infrastructure in turn uses these NTP servers and only these NTP servers.
- Michael DeMan
I'm not sure if full-mesh is best practice, the external clients should have
full view of as close to source data as possible.
If in full-mesh you're already masking the data with inaccuracy, giving the
clients less information to make decision?
We used to have full-mesh in our meinbergs, until from their recommendation we
removed it completely. It makes sense to me, but I don't understand the issue
deeply.
This doesn't address the full-mesh part, but this discussion suggests at
least four servers, but better to have five.
http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers#Section_5
.3.3.
Frank