NTP Question

Cutler_James_R · May 1, 2019, 10:47pm

Answers to that include:

Keeping the Auditors happy
Knowing that “everyone does it” - the vendor told them so
Bragging rights (expensive hardware)
Being unbothered by fighting with facilities for building penetrations and antenna mounts
Misunderstanding the beauty and economy Dave Mills marvelous algorithms for consistent time based on multiple sources, even those connected via internet
Unwillingness or inability to leverage other local resources capacity to run ntpd with minimal impact in order to have a good constellation of local NTP servers
Willingness to farm out time service without doing a deep dive into why and how, just leaving the design to the appliance vendors
This covers most of what I have encountered in providing enterprise time services for $dayjob+clients. I probably left out some significant points, but it has been a few years…

Mel_Beckman · May 1, 2019, 11:28pm

Harlan and Mehmet,

I can expand on one important reason that James only alluded to with his “Kepping the Auditors happy” comment.

Passing NTP through a firewall and then using that as a critical time reference source represents a huge security risk. Here’s one detailed explanation of that risk:

https://insights.sei.cmu.edu/sei_blog/2017/04/best-practices-for-ntp-services.html

-mel

stenn · May 2, 2019, 1:54am

I have some significant disagreements with some of the assumptions and
positions in that posting, for whatever that's worth. And there are
some good points in there, too.

H