Time Syncing Through a Firewall Without NTP?

← Back to Stories (view on slashdot.org)

Time Syncing Through a Firewall Without NTP?

Posted by Cliff on Saturday July 30, 2005 @10:54AM from the route-around-the-problem dept.

dvdsmith asks: "Say are dealing with a Windows network that for internet access must pass through a firewall that you have no control over. Said firewall apparently blocks the known time protocols (NTP,daytime,etc) and you know from experience that those who control it will not allow any exceptions. If one sets up an internal NTP server (Windows XP or 2000 workstation) for all others to sync from, is there another reliable method for updating time on the server, like pulling from a Java website? See the time.gov website as an example. Any ideas?"

22 of 112 comments (clear)

Min score:

Reason:

Sort:

COOKING WEB SERVICES WITH ELZAR by captnitro · 2005-07-30 10:57 · Score: 5, Funny

Of course, your most important ingredient is this baby right here: the external web service. You can get it in a can but to really do things right, you gotta strangle yourself a fresh one.

We're going to sync with our outside web service using a simple SOAP client, written in whatever language you prefer, and setting the time. (Your users will get their time from you via NTP still, of course.) This isn't required, but for that fresh BAM! taste, it's recommended. Mind the delay calculations if you're writing the client side of it yourself, the WWWait will have a little bit more effect here depending on your setup. If you want to make it quick and dirty, there's no reason to go through the SOAP/WSDL hoops, the point is having it on a known port and piggybacking across HTTP's fame and success, and then sleeping with its girlfriend, and stealing her wallet on the way out. BAM!
1. Re:COOKING WEB SERVICES WITH ELZAR by Anonymous Coward · 2005-07-30 13:27 · Score: 2, Insightful
  
  Use SOAP XML bloat to get the current time? Jebus. People in this industry are utterly clueless. How about a 10-line daemon in C that sends the current time as a 64-bit value when you connect to it?? Or can't people program any more unless they use SOAP and PHP???
Here's what I'd do... by Anonymous Coward · 2005-07-30 11:09 · Score: 5, Insightful

Ask the morons in charge of the firewall to please open the NTP port and take the time to explain why this is important.
Take it up with management if said morons disagree.
1. Re:Here's what I'd do... by ColaMan · 2005-07-30 14:23 · Score: 4, Insightful
  
  Get quotes for your time-sync hardware, and a *formal* quote from IT. (if no formal quote is forthcoming, keep your evidence of attempting to obtain one, and do a best-guess yourself, factoring labour/bandwidth/etc).
  
  Go up the chain to whoever manages both the IT and your division. Say "We need time sync for such-and-such. It's necessary."
  
  Give them a breakdown of costs like so:
  
  $x for GPS stabilised NTP appliance.
  $y for some bonehead in IT to open the port up.
  
  Make sure you put the expensive one first. If it costs the IT department more to poke a hole in the firewall, well, hell, you'll get a new toy to play with. But most likely management will say (paraphrased) "WTF? Bring me the head of the IT department manager, on a silver platter."
  
  IT departments are there to provide services for the rest of the company. That's their job. If they're not doing their job, call them on it. They're just a lead weight around the company's neck otherwise.
  
  --
  
  You are in a twisty maze of processor lines, all alike.
  There is a lot of hype here.
2. Re:Here's what I'd do... by secolactico · 2005-07-30 15:36 · Score: 3, Informative
  
  Give them a breakdown of costs like so:
  
  $x for GPS stabilised NTP appliance.
  $y for some bonehead in IT to open the port up.
  
  And don't forget to include installation costs in the breakdown. Depending on your building infrastructure, you might have to run wiring for an external gps antenna, plus related costs of mounting an outdoor equipment, which will probably be done by the maintenance people or subcontracted.
  
  --
  No sig
3. Re:Here's what I'd do... by AndroidCat · 2005-07-30 17:51 · Score: 3, Insightful
  
  Slick, that turns the problem around and drops it in their lap. Providing reliable network time would certainly be their job (especially if they block access to outside servers), and it would be easy to show that it's a requirement for network operation and logging. (OP might want to jury rig something to periodically test their time for accuracy.)
  
  --
  One line blog. I hear that they're called Twitters now.
Tunnel. by SharpFang · 2005-07-30 11:10 · Score: 5, Informative

Set up a host outside the firewall, and tunnel the NTP data over some "allowed" port, so it gets through. Or set it up as NTP server on non-standard port (80?) outside the firewall.
If you want precise measurement, this is the way to go. NTP software will correct the latency errors, no matter if you have direct connection or if it goes through tunnels around the globe, so you have precise time. But if you go for methods like reading time from website applet, all the network latency problems get completely neglected and just add up to the error of the internal server. You could just as well sync it to your hand watch instead.

--
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
radio by F�an�ro · 2005-07-30 11:11 · Score: 4, Interesting

you could build a device that gets the time via radio (LINK) or buy one that does this (like a gps receiver?).

or if any udp port is open in the firewall, set up a ntp server outside that answers on that port
1. Re:radio by samjam · 2005-07-30 11:41 · Score: 3, Insightful
  
  I like this idea.
  
  First get a written refusal in response to a written request to open NTP on the firewall.
  
  Then use this to justify a hardware purchase for the clock hardware.
  
  Wait till bosses realise that a $500 piece of kit and a couple of days setting up could be replaced by 5 mins configuration by a dolt.
  
  Sam
  
  --
  blog.sam.liddicott.com
Re:too easy by Anonymous Coward · 2005-07-30 11:27 · Score: 2, Interesting

Just write a batch file or shell script to get the time from any website that shows the current time of refresh on a page.

How about
$ wget --spider -S $WEBSITE 2>&1 | grep -i 'date:'
No need to parse the HTML, just use standard HTTP headers.
Two completely untested suggestions by moreati · 2005-07-30 11:31 · Score: 3, Informative

1. Hook up a GPS receiver directly, via the usb/serial port, use whatever software to interface
2. Use HTP: HTTP Time Protocol
You should use NTP by Anonymous Coward · 2005-07-30 11:40 · Score: 5, Insightful

Correct subsecond time is important.

If your boxes are hacked and you go into court and you can't demonstrate that your log timestamps have anything to do with reality, you might not be able to use them as evidence.

You also would like to be able to accurately judge HTTP cache timeouts and other time-sensitive things.

You also don't want your time to "step" (jump by more than one second) if you can help it. It screws up sensitive daemons and I've seen more than one box crash and burn and start spawning crap when the clock jumped backwards.

Have them open up the damn firewall, set up a reliable Unix-based NTP server on the inside that syncs to something outside, and have the workstations sync up with that.

You CANNOT tunnel NTP over SSH. NTP uses UDP.

You also don't want to just get the time from some web page and set the clock because your clock may jump, and you don't adjust for latency correctly either (NTP is *complicated* because there are a lot of edge cases and complex concepts here). Also you'd like to be able to select from multiple sources and throw out any outliers, in case one has been hacked.

If you can't do the sane thing, which is open up the firewall, you can just set up a local Unix NTP server and at least your boxes will all have the same time as that box, even if it's the "wrong" time.

You can also use GPS or a dialup modem to set the time on your NTP server.

To recap:

1) set up a centralized NTP server
2) sync to that NTP server
3) if possible, sync that NTP server to another external NTP server, OR a radio or modem signal.

It ain't rocket science folks.
1. Re:You should use NTP by ComputerSlicer23 · 2005-07-30 13:23 · Score: 2, Insightful
  
  Hmmm, curious, I thought you could tunnel IP over SSH. It doesn't matter what what NTP uses as transport for it. It should tunnel. Now, it might screw up the protocol. However, the protocol should just treat the tunnel as a UDP connection with fairly odd properties.
  Kirby
2. Re:You should use NTP by ComputerSlicer23 · 2005-07-31 04:57 · Score: 2, Informative
  
  You really shouldn't be so absolute about those things. I've done IP over ssh, which means you can do ICMP, UDP, and TCP over it. Not using ssh and port forwarding, but using ssh, pppd, it can be done. You create a pppd device that is attached to a terminal, the terminal gets created by sshd. You do all the same things at the other end. It's a bit more work on both ends to accomplish it, but anywhere you can do ssh port forwarding, you should be able to tunnel PPP over SSH.
  It's standard and fairly simple. You can read about it here
  As to why UDP is used, has nothing to do with "faster". The protocol is designed to use UDP, because it's connectionless, it has lower latency, and the TCP connection encapsulates a lot of the properites that NTP measures to correct for latency and transmission delay. If a packet gets dropped via UDP, NTP can compensate for that, with TCP it's much harder. If a packet gets dropped, retransmitting the same one again is stupid (that's what TCP would do), you should transmit a new one with a new timestamp (you can do this via UDP).
  Kirby
"Atomic Clock" card by SA+Stevens · 2005-07-30 11:57 · Score: 5, Informative

You can run a local NTP server, and install an 'Atomic Clock' receiver in it, on a Card. Basically it's a 10 MHz WWV receiver that decodes the time info and reads it into the PC. They've been around a long time.
Synced with what? by spaceyhackerlady · 2005-07-30 16:48 · Score: 3, Interesting

Do the systems need to be synced to the outside world, or merely consistent with each other?
If the silly firewall people won't help you (you might remind them that you do in fact work for the same company...), you need to set up your own NTP server. Either a real one with a GPS receiver, or a pretend one that everybody can follow and have the same time, regardless of what that time actually is (see initial question).
The occasional phone call to the NIST's dialup time server might be useful too.
...laura
Re:too easy by vadim_t · 2005-07-31 01:33 · Score: 2, Informative

BAD idea! Don't do that!

Think of it for a while. The HTTP server takes its local date, writes it into a socket, and sends it to you. By the time you get it, the time will have changed. If your time was actually right, it'll go like this:

You (10:00:00): HTTP request
Server (10:00:01): Sends date
You: (10:00:02): Date received, set

And here you set the date backwards in time, which is definitely going to cause problems.
Use a cheap GPS by Telecommando · 2005-07-31 04:43 · Score: 2, Informative

Buy a Delorme Tripmate on Ebay. Buy or build a power/serial cable. Connect pins 2&3 on the serial port so the Tripmate will self start. Parse the ASCII strings sent by the Tripmate. The string you need looks like this:

$GPRMC,HHMMSS,A,LATITUDE,N/S,LONGITUDE,E/W,SPEED,D IRECTION,DDMMYY,MAGNETIC,E/W*CHECKSUM

A search on Google for "Delorme Tripmate" and/or "NMEA-0183" should turn up plenty of info.

I use a Tripmate in my car connected to a Microchip PIC and an LCD to display time, date, location, speed and direction.

--
Beta sux! Join the Slashcott! http://hardware.slashdot.org/comments.pl?sid=4760465&cid=46173047
Ask for an NTP source by ken95357 · 2005-07-31 05:53 · Score: 2, Interesting

Why not ask the firewall people if they have an NTP source you can use? If they don't, ask them to set one up for you that way they don't have to open their firewalls to your NTP needs.
TV tuner card by Hangeron · 2005-07-31 08:35 · Score: 2, Interesting

I have a cheap Hauppauge WinTV card and I sometimes use alevt-date in linux to set clock. I've setup a script that sets clocks on 3 other computers aswell through ssh.
Is the router an NTP server? by Webmoth · 2005-07-31 18:16 · Score: 2, Informative

Have you checked the obvious? Many routers and firewalls also serve NTP. Try polling NTP on the firewall. It just might work.

If that doesn't work, try polling the local router. Try polling a remote router that's still inside the firewall.

A customer of mine has several sites, and the sites are linked through frame relay (or is it T-1?). The firewall blocks port 123, so NTP with the outside world is (generally) out of the question. However, the frame provider is MCI, who also happens to manage the routers for the customer, and the routers poll NTP from MCI's network, and serve NTP to the local network. Rather handy.

--
Give me my freedom, and I'll take care of my own security, thank you.
Hardware boxes by wcdw · 2005-08-01 07:16 · Score: 2, Interesting

This is not what the submitter wanted to know. However, for all of you who have proposed hardware GPS-based solutions, you might want to note that there are also companies making similar hardware which get their time signal from the CDMA cellphone signals.

CDMA in turn gets its time from GPS, but is far easier to receive in most locations - no need to run an antenna cable up to the roof. They also tend to be cheaper.

--
If you're not living on the edge, you're just taking up space!