Re: [lopsa-tech] Time and PCI

[Matt Butch]

Thanks for the replies all. On 09/25/2015 01:03 PM, Brandon Allbery wrote: On Fri, Sep 25, 2015 at 11:54 AM, Matt Butch <apple4e...@me.com> wrote: I want to put time servers in the two e-commerce datacenters as well as the two corporate offices and peer all of them together, and point our servers to all of them. He wants to only put them in the two corporate offices. His argument is that they are then central there. Mine is that they aren't central to the web stack, and that the web stack will not maintain correct and consistent time. "Central" in this context generally means that you have distinguished servers that provide time to internal hosts, and only those servers get time from external sources. Physical location is very specifically NOT part of "central"; that constraint would be problematic for any installation spanning multiple continents --- where the usual topology would be each region having one or more "central" time servers (depending on how many clients in the region), those regional servers all peered to each other, and clients in the region using the regional server. That was my thought as well, where the servers are central to their region. Ask this security guy if a fiber cut affecting the central office is expected to produce PCI noncompliance. You *really* want to spread the "central" servers out for redundancy. That's the problem I pointed out. If the connection to the corporate offices goes down, anywhere along the line, we are out of PCI compliance. He said "that's unlikely to happen". (Also, I note you said two corporate offices; two master NTP servers is pretty much the worst possible configuration because they can easily diverge. One if you must, otherwise 3 or more.) I did forget a detail, each corporate office will have 3 NTP servers to protection against failover issues. I did get him to agree to that. -- brandon s allbery kf8nh                               sine nomine associates allber...@gmail.com                                  ballb...@sinenomine.net unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net

_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
 http://lopsa.org/