From: Charles Church (cchurch@wamnet.com)
Date: Sat Sep 27 2003 - 14:17:04 GMT-3
Little OT, but good practice!
I support a bank network part time that's running MS Windows 2003 servers.
The 3640 core router is an NTP master, gets it's time from a couple
different internet sources, and provides time to what I thought was just all
the other Cisco devices. I didn't know they had pointed their servers to
it. Recently the router was rebooted, and until it got it's correct time
(10 minutes or so), it provided 1993 time to these servers. Of course MS
doesn't follow any RFCs, and choose to use this time, rather than declare it
insane. So it had some bad effects on their Active Directory, which I guess
has a strong tie to time like NDS does. Since the 3640 has no calendar,
it's possible it can happen again. So I came up with the idea of a
time-based ACL on the router, using absolute stop and start time/date. The
idea is to not allow in any NTP with source addresses matching my internal
networks unless the time is after an arbitrary date in 2002. The router
always boots into 1993. So if I allow NTP in only from the internet until
the date is greater than 2002, I'm thinking it should work, right? How does
the time-based ACL react if the router time suddenly changes due to NTP?
Anyone ever try this before?
Thanks,
Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnet.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:38 GMT-3