Path: utzoo!utgpu!watserv1!watmath!att!pacbell.com!ucsd!sdd.hp.com!zaphod!julius.cs.uiuc.edu!apple!agate!ucbvax!udel.edu!Mills
From: Mills@udel.edu
Newsgroups: comp.protocols.time.ntp
Subject: Re:  vendor supported NTP
Message-ID: <9101142207.aa15948@huey.udel.edu>
Date: 15 Jan 91 03:07:24 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Distribution: inet
Organization: The Internet
Lines: 21

Tait,

So far as I know, and I don't really know a heck of a lot, DEC
is supporting NTP (ntp.3.4) and Sun has announced plans to 
put it in their next release. A whole bunch of folk are running
NTP internally on lots of machines, including DEC, Sun and HP.
I know of only one organization (I would rather not say which
one, but it is a major corporation) running NTP internally and
with a filtering gateway to the Internet. The filter allows
NTP to pass, but disallows other leaks.

It is hard to imagine a security problem with NTP access, unless
you count denial of service (e.g., flooding). There are no
commands allowing access to the shell or any other power program.
In addition, access can be protected using cryptographic
authentication features of xntpd, if it comes to that. A reasonable
analysis would probably conclude you are in more danger from
destabilized clocks due broken servers than are you in danger
from a worm infestation.

Dave