Reasons why a Network Time Server inside your firewall is the best choice.
The Problem
Electronic clocks in most servers, workstations and networking devices keep inaccurate time.Ìý Most of these clocks are set by hand to within a minute or two of actual time and are rarely checked after that.Ìý Many of these clocks are maintained by a battery-backed, clock-calendar device that may drift as much as a second per day.Ìý Having any sort of meaningful time synchronization is almost impossible if such clocks are allowed to run on their own.Ìý In modern computer networks time synchronization is critical and here's why:
To reduce confusion in shared filesystems, it is crucial for the modification times to be consistent, regardless of what machine the filesystems are on.
Billing services and similar applications must know the time accurately.
Some financial services require highly accurate timekeeping by law.
Sorting email and other network communications can be difficult if timestamps are incorrect.
Tracking security breaches, network usage, or problems affecting a large number of components can be nearly impossible if timestamps in logs are inaccurate.Ìý Time is often the critical factor that allows an event on one network node to be mapped to a corresponding event on another.
Cryptographic key management and secure document transmission may require using accurate, encoded timestamps which match unencoded timestamps to help assure document authenticity.Ìý For example, RPC needs clocks to be synced to within 15 seconds for proper operation.
Interactions with dynamic events such as stock market trades require careful synchronization of time.
Many authentication systems, Kerberos being the most prominent example, use dated tickets to control access to systems and resources.
Investigating incidents that involve multiple computers is much easier when the timestamps on files and in logs are all in sync.
Sarbanes-Oxley and HIPAA Security Rules both require accurate timestamping.
A Solution
The Network Time Protocol (NTP) has long been the king of time-setting software.Ìý Dr. David Mills has been studying the problems surrounding accurate Internet timekeeping in laboratories.Ìý In 1985, he wrote the first RFC about NTP.Ìý Its popularity has grown ever since.
More Problems
Some companies solve the problem of synchronizing their networks by using NTP to go out on the Internet to get time from a Public Internet Time Server.Ìý But, this approach is prone to problems:
To access an Internet Time Server using NTP, a problem arises because the time source is beyond the firewall.Ìý This means there must be a "hole" left open in the firewall (specifically UDP port 123) to allow packets containing the time information through.Ìý This security hole is the main problem with getting time from the Internet.
Time accuracy degrades when using an Internet Time Server because of asymmetrical latency (delays between when the time packets leave the time source and when they arrive at your network).
External agencies (e.g. universities) who provide Public Domain Time Servers are not obliged to continue service or guarantee availability and accuracy.
The Best Solution
The safest and most reliable method for synchronizing all the clocks on your network is with a dedicated time server running NTP or SNTP:
Installing a network time server behind your firewall and insulating it from the Internet provides the best security.
You avoid the extra work of reconfiguring firewalls and routers that may be required to allow the devices on your LAN access to a Public Internet Time Server.
Because of minimal latency, a network time server on your LAN can reliably keep all the servers, workstations and network devices synchronized to within 1/2 to 2 milliseconds of each other.