NTP question

• Previous message (by thread): NTP question
• Next message (by thread): NTP question
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

for our PCI-DSS audit, the rational for at least -one- local source,
instead of depending on pool.ntp.org, was "backhoe fade".
it was worth the $135 for an NTP source using GPS.  the cable run up the
elevator shaft for the antenna works without needing OSHPD permits.

We are very happy with the result.

/Wm

On Wed, May 1, 2019 at 3:01 PM Andreas Ott <andreas at naund.org> wrote:

> On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote:
> > - Why do folks want to have one or more NTP server masters that have at
> > least 1 refclock on them in a data center, instead of having their data
> > center NTP server masters that only get time over the internet?
>
> I had that discussion before with the QSA for a compliance audit, pointing
> to requirement "10.4.3 Time settings are received from industry-accepted
> time sources" and "verify that the time server(s) accept time updates from
> specific, industry-accepted external sources (to prevent a malicious
> individual from changing the clock)" in the PCI-DSS document. He
> non-jokingly suggested "why don't you use pool.ntp.org?", not really
> realizing how many servers are in fact just someone's PC behind a cable
> modem in their home, which negated the "do I trust the time I am
> receiving?". My immediate answer was "we could use NIST servers",
> but the easiest way out of this is "we operate our own NTP appliance
> with a GPS receiver" and provide that as evidence.
>
> Don't get me wrong, I support pool.ntp.org by operating and contributing
> servers to it, but it is not deemed good enough if you need traceability
> of your NTP time source(s), even though the pool will only admit members
> above a certain quality threshold.
>
>
> > - What % of data center operators provide time servers in their data
> > centers for their tenants (or for the general public)?
>
> My $employer does that in our datacenters and points of presence for
> our customers.
>
> -andreas
> --
> Andreas Ott   K6OTT   +1.408.431.8727   andreas at naund.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190502/5a4cc16b/attachment.html>

• Previous message (by thread): NTP question
• Next message (by thread): NTP question
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]