NTP Server feature in SPLAT - feat request?

[hotice_]

Does anyone know if Checkpoint has any intention of embedding NTP Server as (not clients) as a feature within Secure Platform in the near future?

I've got a lot of client requests so far on this and have already forwarded this to our SE as a feature request...

[BarryStiefel]

Quote:

Originally Posted by hotice_

Does anyone know if Checkpoint has any intention of embedding NTP Server as (not clients) as a feature within Secure Platform in the near future?

I've got a lot of client requests so far on this and have already forwarded this to our SE as a feature request...

This makes me nervous. I don't like anyone connecting to my Security Gateway for any reason.

[chillyjim]

It would make sense on the SmartCenter, but not on a gateway.

[BarryStiefel]

Quote:

Originally Posted by chillyjim

It would make sense on the SmartCenter, but not on a gateway.

Shouldn't this be considered one of the administrative services that goes on the same server as DNS, DHCP, or
Windows AD Domain Controller? I really like my Security Gateways to be stripped down and hardened and invisible.

[Thorpuse]

I brought this up as a feature request a long time ago (actually I suggested that they include time sync as part of the SIC registration process, due to the issues with time registration and the validity of certs...). At the time I was told that it would not happen, because it opened a number of technical issues around the more general issues of clock and time syncronisation that CP weren't willing to invest time and effort into.

I still think this is a bit of a mistake on CP's part. Considering the importance of accurate timestamping for the validity of logs as well as the SIC issues that can potentially occur because of time issues, I'd support CP taking the time management function in as part of the product. It seems logical to me to use a SmartCenter/Provider-1 server as a time server for gateways, and not have them rely of a third-party time system which itself would need to be adequately protected.

[BarryStiefel]

Quote:

Originally Posted by Thorpuse

I brought this up as a feature request a long time ago (actually I suggested that they include time sync as part of the SIC registration process, due to the issues with time registration and the validity of certs...). At the time I was told that it would not happen, because it opened a number of technical issues around the more general issues of clock and time syncronisation that CP weren't willing to invest time and effort into.

I still think this is a bit of a mistake on CP's part. Considering the importance of accurate timestamping for the validity of logs as well as the SIC issues that can potentially occur because of time issues, I'd support CP taking the time management function in as part of the product. It seems logical to me to use a SmartCenter/Provider-1 server as a time server for gateways, and not have them rely of a third-party time system which itself would need to be adequately protected.

Using SIC to synchronize time from the SCS out to all the other machines might be rather nice. You'd have to think about time zone issues, though.

[Thorpuse]

Quote:

Originally Posted by BarryStiefel

Using SIC to synchronize time from the SCS out to all the other machines might be rather nice. You'd have to think about time zone issues, though.

Among other things.... different OSes manage time in different ways, drift and latency issues if you're going to time-sync properly, administrative/OS rights to change time, daylight savings...

Still think it's worth arguing... I've started a policy on most of the firewalls I deal with to set them all to UTC - just got too tired of all the daylight savings changes!

[BarryStiefel]

Quote:

Originally Posted by Thorpuse

Among other things.... different OSes manage time in different ways, drift and latency issues if you're going to time-sync properly, administrative/OS rights to change time, daylight savings...

Still think it's worth arguing... I've started a policy on most of the firewalls I deal with to set them all to UTC - just got too tired of all the daylight savings changes!

I'm with you on the UTC idea, especially if you've got equipment in different time zones. Sometimes if I'm travelling and blasting through a lot of different time zones, I'll even set my watch to UTC and just remember how many delta hours there are wherever it is that I am.

And now that even the dates that DST comes in to play keep changing, it gets much worse. I still use Windows 2000 machines that don't change over on the correct dates. Grrr.