[ntp:questions] IA approved COTS NTP servers question

Terje Mathisen "terje.mathisen at tmsw.no" at ntp.org
Mon Jun 7 15:37:28 UTC 2010

Fran wrote:
> On Jun 4, 3:13 pm, Greg Hennessy<greg.henne... at cox.net>  wrote:
>> On 2010-06-04, Fran<fran.ho... at jhuapl.edu>  wrote:
>>> On Jun 3, 4:49?pm, Greg Hennessy<greg.henne... at cox.net>  wrote:
>>>>> Do you know of any DISA IA approved COTS NTP servers ?
>>>> Why not use tick.usno.navy.mil or tock.usno.navy.mil? Only half a
>>>> smiley.
>>> Thats a funny one Greg, thanks!
>> On the serious side, if you are worried about having to follow DISA
>> STIGS, then it seems safe to assume you are on NIPR or SIPR nets, in
>> which case it is probably easier to use the USNO supplied time service
>> rather than recreating your own. If for redundancy you wish to run
>> your own NTP servers (which you should point to USNO since USNO is
>> what all DoD sources are *SUPPOSED* to be using), I'm not aware of any
>> COTS NTP servers that are DISA IA approved out of the box.
> Greg, thanks again for your help.
> We are running on a private net inside a lab, no connections outside
> of the lab. We'll run the NTP server either with a LOCAL reference
> clock driver, IRIG-B, or with GPS.
> A short email with Symmetricom said in essence: although there is no
> 'IA-mode' to put the NTP servers in, the NTP server is already running
> a limited amount of services, there are controls to further disable
> service and ports. Therefore its seems likely to me the NTP server
> could be configured as required.
> The devil is in the details however. So I would need to get funded for
> time to get smart on the applicable IA requirements, get a suitable
> COTS NTP server, configure and test it. Its likely we can get we we
> want, but its not going to be a simple button push like the managers
> would like to hear it is.

The easiest as well as cheapest might be to take the default FreeBSD + 
Garmin GPS18 route: Total cost about $100 plus a few hours to 
build/configure it.

The FreeBSD box don't need any open ports at all except 123 (the NTP 
port), and you don't need any services either, so it can easily be 
locked down.

(You can consider making an exception for ssh if you must have remote 


- <Terje.Mathisen at tmsw.no>
"almost all programming can be viewed as an exercise in caching"

More information about the questions mailing list