[168905] in North American Network Operators' Group
Re: Need trusted NTP Sources
daemon@ATHENA.MIT.EDU (Michael DeMan)
Thu Feb 6 10:24:41 2014
From: Michael DeMan <nanog@deman.com>
In-Reply-To: <hjm8afian7skg3oj627vbbtt.1391682475089@email.android.com>
Date: Thu, 6 Feb 2014 07:24:17 -0800
To: Alexander Maassen <outsider@scarynet.org>
Cc: "nanog@nanog.org list" <nanog@nanog.org>, afnog@afnog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi Alexander,
I think you or your consultant may have an overly strict reading of the =
PCI documents.
Looking at section 10.4 of PCI DSS 3.0, and from having gone through PCI =
a few times...
If you have your PCI hosts directly going against ntp.org or similar, =
then you are not in compliance.
My understanding is that you need to:
A) Run a local set of NTP servers - these are your 'trusted' servers, =
under your control, properly managed/secured, fully meshed, etc.
These in turn (section 10.4.3) can get their time from =
'industry-accepted time sources'.
B) The rest of your PCI infrastructure in turn uses these NTP servers =
and only these NTP servers.
- Michael DeMan
On Feb 6, 2014, at 2:27 AM, Alexander Maassen <outsider@scarynet.org> =
wrote:
> www.pool.ntp.org
>=20
> -------- Oorspronkelijk bericht --------
> Van: Notify Me <notify.sina@gmail.com>=20
> Datum: =20
> Aan: "nanog@nanog.org list" <nanog@nanog.org>,afnog@afnog.org=20
> Onderwerp: Need trusted NTP Sources=20
>=20
> Hi !
>=20
> I'm trying to help a company I work for to pass an audit, and we've
> been told we need trusted NTP sources (RedHat doesn't cut it). Being
> located in Nigeria, Africa, I'm not very knowledgeable about trusted
> sources therein.
>=20
> Please can anyone help with sources that wouldn't mind letting us sync
> from them?
>=20
> Thanks a lot!
>=20
