Re: Network time protocol

[s-luppescu@example.com]

On 19-Sep-2000 Frank BENNETT wrote:
> On Tue, Sep 19, 2000 at 02:20:27AM +0900, Stephen J. Turnbull wrote:
>> >>>>> "Scott" == Scott M Stone <sstone@example.com> writes:
>> 
>>     Scott> hm, an "ntpdate -d clock.nc.fukuoka-u.ac.jp" from my
>>     Scott> systems here returned " no server suitable for
>>     Scott> synchronization found "....
>> 
>> Aaaaaaaaaarrrrrrrrgh!
>> 
>> Hosed again by the firewall.  Thus spake Beavis:
>> $B86B'$H$7$F#U#D#P%5!<%S(B
>> $B%9$O;H$($^$;$s!#(B  NTP is a UDP client.  :-(
> 
> Oh, wow.  That could be a really nasty gotcha.  Is ntpd considered a
> significant security risk?  That is, is it something that should be kept off
> of the firewall itself?  (Or is this naive -- should _everything_ be kept
> off of the firewall itself ... ?)

Here's what I was told, when I asked about the safety of opening up a port on
my firewall to permit ntp:

-----------------------------------------------------------
        Theorically there is a problem when opening the NTP server. Many
of the cryptographic systems use the system time to generate random
numbers, and if 'attackers' can have access to your exactly system time,
they theorically can break your cryptographic messages, etc. I recomment
to close this to the internet, but if you don't run any PGP/GPG/SSL big
programs or/and don't have big concern about your cryptography, it's okay
to leave it open.

______________________________________________________________________
Stuart Luppescu         -=-=-  University of Chicago
$(B:MJ8$HCRF`H~$NIc(B        -=-=-  s-luppescu@example.com
http://www.consortium-chicago.org/people/sl/sl.html
PGP Public Key: www.consortium-chicago.org/people/sl/pubkey.asc
ICQ #21172047  AIM: psycho7070
Overflow on /dev/null, please empty the bit bucket.
>> Sent on 19-Sep-2000 at 14:04:58 with xfmail