Ironport time keeping

Unanswered Question
Jul 29th, 2008
User Badges:

Hi,

I have only recently noticed our Ironport devices are several minutes out of sync with the atomic clock. After investigating the issue i found that although they are pointed to the time.ironport.com NTP server, our firewall is currently blocking this traffic.

Before making any firewall changes, i was wondering are there any big concerns or security vulnerabilities i should know about over allowing this kind of traffic through udp port 123 on our firewall? Or is it recommended to just set the time manually?

Any advice/information would be much appreciated

Thanks

Simon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kluu_ironport Tue, 07/29/2008 - 19:31
User Badges:

It is perfectly safe to enable port 123 on the firewall to allow the IronPort appliance to reach that timeserver. If you are concerned, see if the firewall can restrict what IP addresses can connect through that port.

You may also see if you have an available timeserver in house that you can point the IronPort appliance to.


Hi,

I have only recently noticed our Ironport devices are several minutes out of sync with the atomic clock. After investigating the issue i found that although they are pointed to the time.ironport.com NTP server, our firewall is currently blocking this traffic.

Before making any firewall changes, i was wondering are there any big concerns or security vulnerabilities i should know about over allowing this kind of traffic through udp port 123 on our firewall? Or is it recommended to just set the time manually?

Any advice/information would be much appreciated

Thanks

Simon
cbireland_ironport Fri, 08/15/2008 - 11:12
User Badges:

Thanks for the reply kluu.

In relation to synchronising with an internal time server i have a few quesitons if you don't mind.

- I don't currently have a time server on the network, is it easy to set one up? Can i add some sort of ntp utility to a current server?

- Is it possible to set Ironport to simply synchronise with a standard server e.g. my file server, by putting the fqdn into the ntp server list on Ironport time settings?

Thanks for your help and advice on this

Simon

It is perfectly safe to enable port 123 on the firewall to allow the IronPort appliance to reach that timeserver.  If you are concerned, see if the firewall can restrict what IP addresses can connect through that port.

You may also see if you have an available timeserver in house that you can point the IronPort appliance to.


Hi,

I have only recently noticed our Ironport devices are several minutes out of sync with the atomic clock. After investigating the issue i found that although they are pointed to the time.ironport.com NTP server, our firewall is currently blocking this traffic.

Before making any firewall changes, i was wondering are there any big concerns or security vulnerabilities i should know about over allowing this kind of traffic through udp port 123 on our firewall? Or is it recommended to just set the time manually?

Any advice/information would be much appreciated

Thanks

Simon
vkoutsou_ironport Fri, 08/15/2008 - 14:12
User Badges:

Simon, you can set up an NTP server either on a dedicated or an existing server in your environment. You can download the necessary software depending on the operating system you are using. This server will have to synchronize with an external NTP server so opening port 123 will be needed, depending always on your network topology. The remaining servers in your environment can use this one for synchronization.
Pointing your Ironport appliance's ntp settings to an existing server that is not configured to be an NTP server will unfortunately not work.

cbireland_ironport Fri, 08/15/2008 - 14:35
User Badges:

Thanks vkoutsou, think i'll just go with plan A and point Ironport straight out to time.ironport.com and open up the ports on the firewall.

rngai_ironport Tue, 10/13/2009 - 05:04
User Badges:

Sorry to bring up old post, is there anyway we can verify from Ironport that ntp sync is working? Like in router, we can check ntp association status.

Telnet to ntp server via port 123 won't work cause telnet is not udp.

Rayman_Jr Tue, 10/13/2009 - 11:42
User Badges:

Hi rngai,

You can find special "NTP Logs" type of log from your appliance log configuration. Enable that log type and you will have, not only a status, but also history of NTP syncs

steven_geerts Fri, 10/30/2009 - 22:29
User Badges:

I'm not really a NTP specialist, but I was told you must make sure you check at least 3 remote NTP systems to get a reliable time keeping on your system. Only checking "time.ironport.com" does not seem to be enough for that. ;-) … so what now?

Is there any NTP guru around that can clear this up?

Steven

mychrislo_ironport Sat, 10/31/2009 - 02:55
User Badges:

Each local country usually has a time server. And most government maintain one(?).

There is open resources.

http://www.pool.ntp.org/en/

but we maintain our own inside the perimeter and it sync to our gov server.

If you are really serious, there are GPS based time server. A hardware you put outside the building and you get the time....via ntp protocol over the lan wire...not too expensive.

Actions

This Discussion