Building Internet Firewalls

Building Internet FirewallsSearch this book
Previous: 8.12 Network Management ServicesChapter 8
Configuring Internet Services
Next: 8.14 Network File System (NFS)
 

8.13 Network Time Protocol (NTP)

NTP allows you to set the clocks on your systems very accurately, to within 100ms and sometimes even 10ms. Knowing the exact time is extremely important for certain types of applications and protocols:

NTP servers communicate with other NTP servers in a hierarchy to distribute clock information. The closer a system is to a reference clock (an atomic clock, radio clock, or some other definitive clock), the higher it is in the hierarchy. Servers communicate with each other frequently to estimate and track network delay between themselves, so that this delay can be compensated for. NTP clients simply ask servers for the current time without worrying about compensating for communications delays.

8.13.1 Packet Filtering Characteristics of NTP

NTP is a UDP-based service. NTP servers use well-known port 123 to talk to each other and to NTP clients. NTP clients use random ports above 1023. As with DNS, you can tell the difference between:

Unlike DNS, NTP never uses TCP, and NTP has no analog to the DNS zone transfer operation.

Direc-SourceDest.Pro-SourceDest.ACK
tionAddr.Addr.tocolPortPortSetNotes

In

Ext

Int

UDP

>1023

123

[51]

Incoming query, client to server

Out

Int

Ext

UDP

123

>1023

[51]

Answer to incoming UDP query, server to client

Out

Int

Ext

UDP

>1023

123

[51]

Outgoing query, client to server

In

Ext

Int

UDP

123

>1023

[51]

Answer to outgoing UDP query, server to client

In

Ext

Int

UDP

123

123

[51]

Query or response between two servers

Out

Int

Ext

UDP

123

123

[51]

Query or response between two servers

[51] UDP packets do not have ACK bits.

Figure 8.19 shows how packet filtering works with NTP.

Figure 8.19: NTP with packet filtering

Figure 8.19

8.13.2 Proxying Characteristics of NTP

As a UDP-based application, NTP can't be proxied by SOCKS, but can be used with the UDP Packet Relayer. Because NTP employs a hierarchy of servers, it can be configured to run on a bastion host without using explicit proxying, as shown below.

8.13.3 Configuring NTP to Work with a Firewall

Do you really need to configure NTP to work with a firewall? That's your first decision. You may not need to if either of the following cases is true at your site:

In either of these cases, you don't need to run NTP across your firewall; you can simply run it internally.

If you do want to run NTP across your firewall, the best way is to set up an NTP server on a bastion host that talks to multiple external NTP servers and another NTP server on some internal host that talks to the bastion host. (You want the bastion host to talk to multiple external NTP servers because it increases accuracy and makes it harder to fool.) Next, configure internal NTP clients and other internal NTP servers to talk to the internal server that talks to the bastion server. You need to configure any packet filtering system between the internal server and the bastion host to allow the following:

8.13.4 Summary of NTP Recommendations


Previous: 8.12 Network Management ServicesBuilding Internet FirewallsNext: 8.14 Network File System (NFS)
8.12 Network Management ServicesBook Index8.14 Network File System (NFS)