Re: Network time protocol

["Stephen J. Turnbull" <turnbull@example.com>]

>>>>> "FB" == Frank BENNETT <bennett@example.com> writes:

    FB> Oh, wow.  That could be a really nasty gotcha.  Is ntpd
    FB> considered a significant security risk?

Not that I know of.  The problem is that all UDP services are
inherently risky because each packet is independent of the others.
Hard to keep track of and hard to trace.

Since ntpd uses a privileged port, it has to run as root in normal
configuration.  I suspect you have alarm bells ringing at this
point....

    FB> That is, is it something that should be kept off of the
    FB> firewall itself?  (Or is this naive -- should _everything_ be
    FB> kept off of the firewall itself ... ?)

The latter.  The safest configuration for a firewall is a bastion host
that communicates only with routers.  The only software that the
bastion host should run is proxies for passing permissible data from
inside to outside and vice versa, logging software, and sshd for
administrators.  All traffic from outside should be routed via the
bastion host, which passes it back to the inside router.  And vice
versa.  No routes inside to outside or vice versa that don't pass
through the bastion host.  The routers shouldn't know that each other
exist.

If you must run ftpd, httpd, etc, to the rest of the world, it should
be done on a host _outside_ the firewall.  (Not on the bastion host.)

The bastion host should basically run the kernel, the proxies, and
loggers, sshd, and nothing else (especially not gcc ;-).

Extreme paranoia?  Yes.  But not all that expensive (by university
standards) as long as you don't need video rate transmission across
the firewall.

Needless to say, this is NOT how Beavis does it....

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."