I have three tiers architecture (presentation, application and database). Presentation tier is located at DMZ (demilitarized zone). Application and Database tiers are located in secured network (behind firewall). Using Cisco PIX Firewall as DMZ perimeter, I can create fundamental level of protection. The problem is that we don't have time synchronization between servers in each tiers which cause me some problem running application and logging system. I would like to
use NTP as an accurate timekeeping protocol. Unfortunately, I'm not sure allowing NTP service thru my firewall's policy. From my experience, we should not allow NTP to and from public insecure network (Internet). One function of our system is to serve online auction system. Our servers operate on many operating systems (NT4, SunOS, HP-UX). That causes me the make time synchronization between servers in each tiers and the Internet. I just would like to know how to make it possible while providing same level of protection. Thank you in advance.
I use two NTP servers on my internal network as Stratum 3. All my NTP needs are served from those two machines. Our sysadmin watches these servers very closely, as they are also doing other vital functions as well. If you don't want to sync your NTP servers across the internet, alot of higher stratum NTP clocks out there have dialup numbers you can use, which ought to help on the security front.
I have set up a local time server on a secured segment behind a Cisco 535 which is synchronizing its' time with an ntp server sitting outside the firewall.The servers sitting in the internal secured segments are synchronizing their time using the local time server sitting behind the firewall.
In this case you just have to open a conduit for the specific ntp server sitting on the outside to send back the ntp reply to the local time server.
You can work with the same toplogy as it is working securely for me here.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :