Need trusted NTP Sources

Michael DeMan nanog at deman.com
Thu Feb 6 15:24:17 UTC 2014


Hi Alexander,

I think you or your consultant may have an overly strict reading of the PCI documents.
Looking at section 10.4 of PCI DSS 3.0, and from having gone through PCI a few times...
If you have your PCI hosts directly going against ntp.org or similar, then you are not in compliance.

My understanding is that you need to:

A) Run a local set of NTP servers - these are your 'trusted' servers, under your control, properly managed/secured, fully meshed, etc.
These in turn (section 10.4.3) can get their time from 'industry-accepted time sources'.

B) The rest of your PCI infrastructure in turn uses these NTP servers and only these NTP servers.

- Michael DeMan

On Feb 6, 2014, at 2:27 AM, Alexander Maassen <outsider at scarynet.org> wrote:

> www.pool.ntp.org
> 
> -------- Oorspronkelijk bericht --------
> Van: Notify Me <notify.sina at gmail.com> 
> Datum:  
> Aan: "nanog at nanog.org list" <nanog at nanog.org>,afnog at afnog.org 
> Onderwerp: Need trusted NTP Sources 
> 
> Hi !
> 
> I'm trying to help a company I work for to pass an audit, and we've
> been told we need trusted NTP sources (RedHat doesn't cut it). Being
> located in Nigeria, Africa, I'm not very knowledgeable about trusted
> sources therein.
> 
> Please can anyone help with sources that wouldn't mind letting us sync
> from them?
> 
> Thanks a lot!
> 



More information about the NANOG mailing list