My mailer thinks jwilde @
westmail .
com said:
>
> I was wondering if there would be any security concerns about using my firewall
> as an NTP Server for the rest of our network. I was thinking of opening an udp
> port for NTP and (network time protocol) allowing only my time provider to talk
> to the firewall via NTP through an generalized proxy. My question is this,
> would this open a security hole? Wouldn't the NTP Server (our firewall) go out
> and get the time when it is specified? Any comments would be appreciated.
>
The only problem with this is the fact that NTP is UDP-based which
means anyone with the inclination can screw around with the time on
your network merely by impersonating the host you look to for the
correct time. Sure thay can only make small and gradual adjustments
but they can do it and you did ask.
I think NTP uses the same port at either end (like DNS server to
server) so you do not need to allow "udp from host blah to host bastion
where port > 1023" which can be dangerous and is generally frowned
upon.
Colin
Follow-Ups:
References:
|
|
