Solved

NTP Relay Server

Posted on 2013-11-01
15
1,307 Views
Last Modified: 2013-11-15
Hi Experts,

Hopefully you can help with this one

For security we are looking at spinning up an NTP server to act as a relay for external time sources. Ie have it sync with an external source but have devices in the dmz and lan sync with it

What is the best way to go about this using window servers, and can it be done using web edition or must it be standard or above?
0
Comment
Question by:FSIFM
  • 5
  • 4
  • 4
  • +1
15 Comments
 
LVL 44

Expert Comment

by:Darr247
ID: 39616727
Here's a list of level 2 servers
http://support.ntp.org/bin/view/Servers/StratumTwoTimeServers

According to http://support.ntp.org/bin/view/Servers/RulesOfEngagement you shouldn't connect to a level one server unless your time server services 100 or more clients.

Beyond that, I'm not sure what you're asking... here's how to configure Server 2008
http://support.microsoft.com/kb/816042
Is your version in this list?
Applies to
•Windows Server 2012 Standard
•Windows Server 2012 Essentials
•Windows Server 2008 R2 Standard
•Windows Server 2008 R2 Datacenter
•Windows Server 2008 R2 Enterprise
•Windows Server 2008 Standard
•Windows Server 2008 Enterprise
•Windows Server 2008 Datacenter
•Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
•Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
•Microsoft Windows Server 2003, Standard Edition (32-bit x86)
•Microsoft Windows Server 2003, Web Edition
•Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
•Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
•Windows Server 2008 R2 Service Pack 1
0
 
LVL 4

Author Comment

by:FSIFM
ID: 39616739
As far as i understand it, connecting to a NTP service exposes systems to risk as it is subset able

As such we want a "sacrificial" NTP server, that can sit in the dmz and obtain the correct time from an external source

This can then be called by our DC's to obtain the correct time from, thus providing an additional level of security
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39616846
Ahhhh... "our DC's" is quite a different scenario than I inferred from your original post. :)

If you have more than one DC, they should be syncing themselves to the PDC Emulator Master (aka flexible single master operations or FSMO).
Running
netdom /query fsmo
from a DC's command prompt should tell you which server that is. That would be the one on which you want to focus this effort.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39617927
Well, the PDC Emulator role is just one of five FSMO roles.  However, Darr is correct in that you should focus on the DC which holds this role.

This link will show you how to configure the DC to sync time with an external NTP server...

All of the other DCs, member servers and domain-joined clients will automatically synchronize their time with the PDC.
0
 
LVL 13

Expert Comment

by:frankhelk
ID: 39620051
If you want to use external sources, I would recommend to put - as decribed above - a simple Windows machine (or VM) into the DMZ and let any local client machine sync to that NTP server. A simple Linux machine would do as well - maybe better.

If correct time on high priority, I would recommend at least 2 machines in the DMZ syncing to external sources (ie. from pool.ntp.org) and give both "relay" machines as sources to the clients. There's no need for separate machines either - you might simply equip every machine in the DMZ with an NTP service and have great redundancy. Unless there are hundreds of clients asking for the time every minute, NTP would not have a visible perfomance impact

Besides of that I would recommend to kick out the crappy W32time service and use the real thing - a port of the classic NTP service. This would separate the "time master" role from the "DC" role, is free, and stable like a rock.

See this article for details.

Addendum: Even more secure, you could place a radio controlled NTP appliance (or two, for redundancy) into your local net ... that's no risk at all.
0
 
LVL 4

Author Comment

by:FSIFM
ID: 39620945
Cheers Franhelk,

That exactly the information i've been after

I also found this article http://securityvulns.com/advisories/timesync.asp/ which was informative

Would you say best practice then to guard against potential threats would be that each host calls a time server even LAN services? Or as you said just use boxes in the dmz and call the time from them using the DC to then distribute the correct time across the LAN
0
 
LVL 13

Expert Comment

by:frankhelk
ID: 39623667
From my viewpoint, the most safe practice would be to place one (or more if redundancy is needed) radio controlled time server appliance into the local LAN, not into the DMZ.

Any system in the DMZ is per definition vulnerable to attacks from the outside. Any infected system in the DMZ may possibly infect systems in the otherwise safe LAN (not real threats, only theoretic considerations).

The time server appliances don't need to contact anything on the internet ... they get their time sync from radio signals (GPS, DCF77, and much more) with built-in radio controlled clocks, and they serve theitr clients with various timesync protocols, i.e. NTP. Because there's no need for contact, there should be no possibility of contact.

I've worked with such appliances from Meinberg, and have good experiences with 'em. A good startng point would be the M300 series (see here). If redundancy is an issue, these applliances have a nice gimmick: With the latest firmware they are able to form a high availability cluster that acts as a virtual timeserver where the box with the best conditions serves the client on a common IP address. If one box fails, the next best jumps in and serves on the same IP.

(Statement: This describes only my personal experience. Other boxes may be as good or better. I'm not affiliated with Meinberg in any way and I'm not paid for these statements.)

Unfortunately these boxes cost about the same you'd give for an average PC with a radio clock card - which would be the second choice for that. If you have other server PCs around (like an intranet server, an internal mail server, etc.), you might choose to simply equip one or more of them with radio clock cards and use them as time server (the performance impact is minimal). I wouldn't recommend to use the DCs for that.

For simple redundancy reasons and time service quality I would recommend to let each system (DCs, clients, servers, switches, etc.) call the time souce(s) by itself instead of placing a central node in between. If that node fails, the time service breaks. Unnecessary bottleneck/weak spot.

Just for reference: My article on NTP.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39623827
I would also say it's not necessary to place a NTP server in a DMZ, especially if it's not servicing external clients.
0
 
LVL 13

Expert Comment

by:frankhelk
ID: 39624532
As I've said before, it's not only "not necessary" to put the NTP server into the DMZ, I would in fact avoid it due to security considerations.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39624631
I agree there can be security considerations in some isntances.  However sometimes it's not possible to not place a NTP server in a DMZ, and in some networks it's actually a requirement in order to provide NTP services for devices inside the DMZ itself.  It largely depends on the design of the network/DMZ.

The point I was making was that if you aren't providing NTP services to external devices there's no need to put it in the DMZ.

You will find that PCI-DSS requirements can be met with a NTP server in a DMZ, so it's not entirely frowned upon.
0
 
LVL 4

Author Comment

by:FSIFM
ID: 39626646
Cheers for all the info guys

In this instance though, we're not looking a purchasing any new kit. We want to sync with external time sources

So would it still be the best bet still to sync our LAN servers with external time servers?
0
 
LVL 4

Author Comment

by:FSIFM
ID: 39642010
Hi Guys, could anyone answer the above just to clarify?
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 250 total points
ID: 39642114
Yes, just get one or two devices to sync with external time servers, then get everything else to sync with those.
0
 
LVL 13

Accepted Solution

by:
frankhelk earned 250 total points
ID: 39643226
My recommendation for the second best solution (behind dedicated, radio controlled appliances) would be:

Use a Windows port of the classic NTP client on all involved machines (any *ix comes with an incarnation of NTP anyhow). Set up at least two servers into your DMZ with a NTP client, and sync those servers to a variety of servers from pool.ntp.org - i.e. put
server 0.europe.pool.ntp.org
server 1.europe.pool.ntp.org
server 2.europe.pool.ntp.org
server 3.europe.pool.ntp.org

Open in new window

into your1 ntp.conf. You don't need to install new machines into the DMZ, just install it on any machine in your DMZ - there's no visible performance impact due to NTP (load on the machines could nevertheless influence the NTP precision, but NTP is designed to cope with that).

Install NTP clients on any machine within your local LAN, including the DCs. Disable W32time wherever you find it (the NTP installer should do that for you in most cases).

Refer to my article for more details, or just ask me in case of problems.
0
 
LVL 4

Author Closing Comment

by:FSIFM
ID: 39650841
Cheers for all of your help lads :)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now