11-27-2001 01:17 AM - edited 03-08-2019 09:16 PM
I have three tiers architecture (presentation, application and database). Presentation tier is located at DMZ (demilitarized zone). Application and Database tiers are located in secured network (behind firewall). Using Cisco PIX Firewall as DMZ perimeter, I can create fundamental level of protection. The problem is that we don't have time synchronization between servers in each tiers which cause me some problem running application and logging system. I would like to
use NTP as an accurate timekeeping protocol. Unfortunately, I'm not sure allowing NTP service thru my firewall's policy. From my experience, we should not allow NTP to and from public insecure network (Internet). One function of our system is to serve online auction system. Our servers operate on many operating systems (NT4, SunOS, HP-UX). That causes me the make time synchronization between servers in each tiers and the Internet. I just would like to know how to make it possible while providing same level of protection. Thank you in advance.
11-27-2001 03:09 PM
I use two NTP servers on my internal network as Stratum 3. All my NTP needs are served from those two machines. Our sysadmin watches these servers very closely, as they are also doing other vital functions as well. If you don't want to sync your NTP servers across the internet, alot of higher stratum NTP clocks out there have dialup numbers you can use, which ought to help on the security front.
12-02-2001 03:18 AM
I have set up a local time server on a secured segment behind a Cisco 535 which is synchronizing its' time with an ntp server sitting outside the firewall.The servers sitting in the internal secured segments are synchronizing their time using the local time server sitting behind the firewall.
In this case you just have to open a conduit for the specific ntp server sitting on the outside to send back the ntp reply to the local time server.
You can work with the same toplogy as it is working securely for me here.
Regards,
Zeshan Mansoor Jalali
Cisco Security Specialist,CCIE(R&S)-Written, CCNP,CCDA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide