Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Time Synchronization

I have three tiers architecture (presentation, application and database). Presentation tier is located at DMZ (demilitarized zone). Application and Database tiers are located in secured network (behind firewall). Using Cisco PIX Firewall as DMZ perimeter, I can create fundamental level of protection. The problem is that we don't have time synchronization between servers in each tiers which cause me some problem running application and logging system. I would like to

use NTP as an accurate timekeeping protocol. Unfortunately, I'm not sure allowing NTP service thru my firewall's policy. From my experience, we should not allow NTP to and from public insecure network (Internet). One function of our system is to serve online auction system. Our servers operate on many operating systems (NT4, SunOS, HP-UX). That causes me the make time synchronization between servers in each tiers and the Internet. I just would like to know how to make it possible while providing same level of protection. Thank you in advance.

New Member

Re: Time Synchronization

I use two NTP servers on my internal network as Stratum 3. All my NTP needs are served from those two machines. Our sysadmin watches these servers very closely, as they are also doing other vital functions as well. If you don't want to sync your NTP servers across the internet, alot of higher stratum NTP clocks out there have dialup numbers you can use, which ought to help on the security front.

New Member

Re: Time Synchronization

I have set up a local time server on a secured segment behind a Cisco 535 which is synchronizing its' time with an ntp server sitting outside the firewall.The servers sitting in the internal secured segments are synchronizing their time using the local time server sitting behind the firewall.

In this case you just have to open a conduit for the specific ntp server sitting on the outside to send back the ntp reply to the local time server.

You can work with the same toplogy as it is working securely for me here.


Zeshan Mansoor Jalali

Cisco Security Specialist,CCIE(R&S)-Written, CCNP,CCDA

CreatePlease to create content