Slashdot Mirror

← Back to Stories (view on slashdot.org)

Time Syncing Through a Firewall Without NTP?

Posted by Cliff on from the route-around-the-problem dept.

dvdsmith asks: "Say are dealing with a Windows network that for internet access must pass through a firewall that you have no control over. Said firewall apparently blocks the known time protocols (NTP,daytime,etc) and you know from experience that those who control it will not allow any exceptions. If one sets up an internal NTP server (Windows XP or 2000 workstation) for all others to sync from, is there another reliable method for updating time on the server, like pulling from a Java website? See the time.gov website as an example. Any ideas?"

8 of 112 comments (clear)

  1. Here's what I'd do... by Anonymous Coward · · Score: 5, Insightful

    Ask the morons in charge of the firewall to please open the NTP port and take the time to explain why this is important.
    Take it up with management if said morons disagree.

    1. Re:Here's what I'd do... by Anonymous Coward · · Score: 1, Insightful

      If these IT guys are worth their salt, the must already have NTP servers inside the firewall. Why not just use those?

      Afterall, if those internal servers are not reliable, then that reflects poorly on the IT guys, which gives you even more leverage to justify removing the restriction.

    2. Re:Here's what I'd do... by ColaMan · · Score: 4, Insightful

      Get quotes for your time-sync hardware, and a *formal* quote from IT. (if no formal quote is forthcoming, keep your evidence of attempting to obtain one, and do a best-guess yourself, factoring labour/bandwidth/etc).

      Go up the chain to whoever manages both the IT and your division. Say "We need time sync for such-and-such. It's necessary."

      Give them a breakdown of costs like so:

      $x for GPS stabilised NTP appliance.
      $y for some bonehead in IT to open the port up.

      Make sure you put the expensive one first. If it costs the IT department more to poke a hole in the firewall, well, hell, you'll get a new toy to play with. But most likely management will say (paraphrased) "WTF? Bring me the head of the IT department manager, on a silver platter."

      IT departments are there to provide services for the rest of the company. That's their job. If they're not doing their job, call them on it. They're just a lead weight around the company's neck otherwise.

      --

      You are in a twisty maze of processor lines, all alike.
      There is a lot of hype here.
    3. Re:Here's what I'd do... by AndroidCat · · Score: 3, Insightful

      Slick, that turns the problem around and drops it in their lap. Providing reliable network time would certainly be their job (especially if they block access to outside servers), and it would be easy to show that it's a requirement for network operation and logging. (OP might want to jury rig something to periodically test their time for accuracy.)

      --
      One line blog. I hear that they're called Twitters now.
  2. You should use NTP by Anonymous Coward · · Score: 5, Insightful

    Correct subsecond time is important.

    If your boxes are hacked and you go into court and you can't demonstrate that your log timestamps have anything to do with reality, you might not be able to use them as evidence.

    You also would like to be able to accurately judge HTTP cache timeouts and other time-sensitive things.

    You also don't want your time to "step" (jump by more than one second) if you can help it. It screws up sensitive daemons and I've seen more than one box crash and burn and start spawning crap when the clock jumped backwards.

    Have them open up the damn firewall, set up a reliable Unix-based NTP server on the inside that syncs to something outside, and have the workstations sync up with that.

    You CANNOT tunnel NTP over SSH. NTP uses UDP.

    You also don't want to just get the time from some web page and set the clock because your clock may jump, and you don't adjust for latency correctly either (NTP is *complicated* because there are a lot of edge cases and complex concepts here). Also you'd like to be able to select from multiple sources and throw out any outliers, in case one has been hacked.

    If you can't do the sane thing, which is open up the firewall, you can just set up a local Unix NTP server and at least your boxes will all have the same time as that box, even if it's the "wrong" time.

    You can also use GPS or a dialup modem to set the time on your NTP server.

    To recap:

    1) set up a centralized NTP server
    2) sync to that NTP server
    3) if possible, sync that NTP server to another external NTP server, OR a radio or modem signal.

    It ain't rocket science folks.

    1. Re:You should use NTP by ComputerSlicer23 · · Score: 2, Insightful
      Hmmm, curious, I thought you could tunnel IP over SSH. It doesn't matter what what NTP uses as transport for it. It should tunnel. Now, it might screw up the protocol. However, the protocol should just treat the tunnel as a UDP connection with fairly odd properties.

      Kirby

  3. Re:radio by samjam · · Score: 3, Insightful

    I like this idea.

    First get a written refusal in response to a written request to open NTP on the firewall.

    Then use this to justify a hardware purchase for the clock hardware.

    Wait till bosses realise that a $500 piece of kit and a couple of days setting up could be replaced by 5 mins configuration by a dolt.

    Sam

    --
    blog.sam.liddicott.com
  4. Re:COOKING WEB SERVICES WITH ELZAR by Anonymous Coward · · Score: 2, Insightful

    Use SOAP XML bloat to get the current time? Jebus. People in this industry are utterly clueless. How about a 10-line daemon in C that sends the current time as a 64-bit value when you connect to it?? Or can't people program any more unless they use SOAP and PHP???