Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Can my firewall be an NTP source of information ?

PjpPjp Newbie ✭
in Firewall Management and Analytics

Many internal servers, behind my TZ500 firewall do need to access an NTP server from time to time. I have therefore created an access rule enabling those servers to go onto the WAN and pickup time information from external NTP servers.

Eventhough the NTP traffic to/from the WAN/LAN is not significant, I'd like to reduce it to the minimum. Ie : only can the firewall get proper time from the WAN. All internal servers access one unique internal resource to get their own time information. The unique internal time information source should ideally be the frewall .

Is there a way for all servers to get time information from the firewaal ?

Looking forward for your imaginative solutions

Best regards

Category: Firewall Management and Analytics
Reply

Best Answer

  • CORRECT ANSWER
    BWCBWC Cybersecurity Overlord ✭✭✭
    Answer ✓

    @Pjp no, SNWL appliances do not provide any NTP services, you need to run your own in your network or you use an external trusted source.

    --Michael@BWC

Answers

  • PjpPjp Newbie ✭

    Hello BWC, Thanks for the quick answer.

    I suspected this was the case and therefore will need to find an alternative way to get a unique source of time information within my internal network whilst reducting intrusion of Public servers into the LAN area where I have implemented a NTP server.

    Let me explain the configuration here : I have internal servers hooked to the LAN zone of my TZ500 where Trust is the keyword. Within this zone the various devices can dialog with each other freely. On the other hand, I have a "Cameras" zone which is declared as Public and where devices (i.e.: Security cameras") have absolutly no access to the LAN area and therefore no access to the internal NTP server.

    This zone is kind of isolated from the LAN activities. The cameras hooked to this zone request an access to external NTP servers through a specific firewall rule. Therefore each camera is able to issue an NTP request to the WAN and get proper time information. Whilst this works fine, I had like to reduce the number of NTP requests to the WAN and send all cameras NTP request to the TZ500 "cameras zone" Gateway - if it was NTP enabled - thus ensuring a unique source of time information for both LAN devices an "cameras" sitting in a non-trusted zone. UNderstand that such a functionality doesn't exist on the Sonicwall and therefore will have to implement a NTP mechanism into the non-trusted zone to feed the cameras NTP requests. Having one NTP server for the LAN zone and one for the "nontrusted" cameras zone should merely address my initial requirements at the end.

    Feel free to comment in case I missed some other alternative here or if you believe there is a "best practice" in term of NTP requests management for both trusted and non-trusted zones.

    Best regards

    PjP

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Pjp usually I tend to allow only specific NTP servers accessed on the Internet, therefor an address group has to be defined with all the sanctioned servers and used in related access rules. Depending on the size of your deployment you could install a small NTP server in your camera network, like on a Raspberry Pi or even a Mikrotik Router could do the job.

    Another option would be to force all NTP traffic from your Cameras to a santioned NTP server on the Internet with a NAT rule, like SRC: Cameras - DST: Any - Service: NTP translated to SRC: X1 IP - DST: NTP Server - Service: Original. In that case it wouldn't matter what your Cameras have configured as NTP source.

    Your cameras may be physically exposed and I fully support your strategy to not allow any traffic to your NTP server on the LAN.

    --Michael@BWC

Sign In or Register to comment.