cyrus@convex.com (Tait Cyrus) (01/15/91)
I am trying to set up NTP (xntp specifically) on 20 or so machines and am having problems with the 'filtering' that is being done between me and the Internet. The answers to these questions will be provided to the maintainers of the gateway between me and the Internet in an attempt to provide them with enough information that they will disable the 'filtering' of NTP packets. 1) Which vendors are currently supporting NTP as a vendor released product (I only know of DEC)? 2) Which vendors have "plans" of supporting NTP as a vendor release product in the next release of their OS? 3) Have there been ANY instances/examples/rumors/etc of NTP being used to break into a machine (like fingerd was used by the Morris worm)? 4) How 'secure' is NTP from external threat? 5) How many vendors are running NTP internally (even though they don't support NTP as a product)? Thanks in advance --- W. Tait Cyrus Software Engineer Convex Computer Corporation cyrus@convex.com 2075 Research Parkway Suite B 719-594-4900 Colorado Springs, CO 80920
dl2n+@ANDREW.CMU.EDU (Daniel Edward Lovinger) (01/15/91)
convex!cyrus%convex.com@uunet.uu.net (Tait Cyrus) writes: > 1) Which vendors are currently supporting NTP as a vendor > released product (I only know of DEC)? NeXT ships ntp with OS 2.0 (it's in /usr/etc). There are hooks inside of the Preferences app to use it for timekeeping. dan lovinger
wunder@HPSDEL.SDE.HP.COM (Walter Underwood) (01/15/91)
1) Which vendors are currently supporting NTP as a vendor released product (I only know of DEC)? HP does not, but the HP port was done at HP. 2) Which vendors have "plans" of supporting NTP as a vendor release product in the next release of their OS? NTP is not in HP-UX 8.0, which is the "next release." I would guess that whenever we support a time syncronization system it will be DECdns, which is part of OSF DCE. Of course, I'm not in the relevant divisions, or an official spokeperson. 3) Have there been ANY instances/examples/rumors/etc of NTP being used to break into a machine (like fingerd was used by the Morris worm)? We haven't noticed any here. 4) How 'secure' is NTP from external threat? If only does what is in the spec, quite secure. If it is busted, who knows. The truely paranoid might want to see if it works in its own little chroot() prison, since it runs as "root". That would really limit the damage that an NTP break-in could do. 5) How many vendors are running NTP internally (even though they don't support NTP as a product)? HP has quite a few machines running NTP, and we do run NTP with external machines. One additional comment -- in our security policy, when we secure a service the first thing that we look at is whether there is sensitive information accessible via that service. We've decided that the current time and the paramaters of our clock are not sensitive information, so we don't have access control on NTP. OK, one more -- I don't think that we are very vulnerable to a denial of service attack from malicious clocks, partly because all of our primaries would need to conspire against us, and partly because our time-dependent services rely more on syncronization betwen hosts than on absolute time. So if all the hosts are an hour off from UTC, but still sync'ed to 10 ms between each other, all our services still work correctly. Authentication (and "time treaties" with our primaries) would really reduce this risk. Anybody want to re-write NTP in GYPSY and verify it? Or is verification still dead? wunder
Mills@udel.edu (01/15/91)
Tait, So far as I know, and I don't really know a heck of a lot, DEC is supporting NTP (ntp.3.4) and Sun has announced plans to put it in their next release. A whole bunch of folk are running NTP internally on lots of machines, including DEC, Sun and HP. I know of only one organization (I would rather not say which one, but it is a major corporation) running NTP internally and with a filtering gateway to the Internet. The filter allows NTP to pass, but disallows other leaks. It is hard to imagine a security problem with NTP access, unless you count denial of service (e.g., flooding). There are no commands allowing access to the shell or any other power program. In addition, access can be protected using cryptographic authentication features of xntpd, if it comes to that. A reasonable analysis would probably conclude you are in more danger from destabilized clocks due broken servers than are you in danger from a worm infestation. Dave
Mills@udel.edu (01/16/91)
Walter & Co., Matt Bishop of the Privacy and Security Task Force did an analysis of NTP vulnerability. His document (in PostScript) and my response (in ASCII) can be found on louie.udel.edu as the files pub/ntp/bishop.ps and pub/ntp/bishop.txt respectively. If interested, I can provide electric mail transcripts of discussions between OSF, DEC and I about DTS, NTP and related issues. Since these were informal and unedited, I would rather not distribute them on other than a need-to-know basis, even though they were most productive for all parties involved and led to major improvements in both protocols. Dave