[ntp:questions] IA approved COTS NTP servers question

Joseph Gwinn joegwinn at comcast.net
Thu Jun 10 13:08:32 UTC 2010


In article <62b84ad9-7d4c-4074-960e-aae4ef826f2c at u7g2000yqm.googlegroups.com>,
 Fran <fran.horan at jhuapl.edu> wrote:

> On Jun 4, 3:13 pm, Greg Hennessy <greg.henne... at cox.net> wrote:
> > On 2010-06-04, Fran <fran.ho... at jhuapl.edu> wrote:
> >
> > > On Jun 3, 4:49?pm, Greg Hennessy <greg.henne... at cox.net> wrote:
> > >> > Do you know of any DISA IA approved COTS NTP servers ?
> >
> > >> Why not use tick.usno.navy.mil or tock.usno.navy.mil? Only half a
> > >> smiley.
> >
> > > Thats a funny one Greg, thanks!
> >
> > On the serious side, if you are worried about having to follow DISA
> > STIGS, then it seems safe to assume you are on NIPR or SIPR nets, in
> > which case it is probably easier to use the USNO supplied time service
> > rather than recreating your own. If for redundancy you wish to run
> > your own NTP servers (which you should point to USNO since USNO is
> > what all DoD sources are *SUPPOSED* to be using), I'm not aware of any
> > COTS NTP servers that are DISA IA approved out of the box.
> 
> Greg, thanks again for your help.
> 
> We are running on a private net inside a lab, no connections outside
> of the lab. We'll run the NTP server either with a LOCAL reference
> clock driver, IRIG-B, or with GPS.

GPS would be the simplest solution, and there are many classified networks with 
GPS timeservers, so there is ample precedent.  For IA, the key is that a GPS 
receiver does not connect in any way to the internet, so there is no way for 
someone to hack in via the GPS receiver.  The fact that GPS is a DoD system 
doesn't hurt either.


> A short email with Symmetricom said in essence: although there is no
> 'IA-mode' to put the NTP servers in, the NTP server is already running
> a limited amount of services, there are controls to further disable
> service and ports. Therefore its seems likely to me the NTP server
> could be configured as required.
> 
> The devil is in the details however. So I would need to get funded for
> time to get smart on the applicable IA requirements, get a suitable
> COTS NTP server, configure and test it. Its likely we can get we we
> want, but its not going to be a simple button push like the managers
> would like to hear it is.

Lots of things on networks lack anything resembling "IA mode" (whatever that 
is), and yet life goes on.

Joe Gwinn




More information about the questions mailing list