> On Sep 25, 2015, at 4:44 PM, Matt Butch <apple4e...@me.com> wrote: > > Thanks for the replies all. > > On 09/25/2015 01:03 PM, Brandon Allbery wrote: >> On Fri, Sep 25, 2015 at 11:54 AM, Matt Butch <apple4e...@me.com >> <mailto:apple4e...@me.com>> wrote: >> I want to put time servers in the two e-commerce datacenters as well as the >> two corporate offices and peer all of them together, and point our servers >> to all of them. He wants to only put them in the two corporate offices. His >> argument is that they are then central there. Mine is that they aren't >> central to the web stack, and that the web stack will not maintain correct >> and consistent time. >> >> "Central" in this context generally means that you have distinguished >> servers that provide time to internal hosts, and only those servers get time >> from external sources. Physical location is very specifically NOT part of >> "central"; that constraint would be problematic for any installation >> spanning multiple continents --- where the usual topology would be each >> region having one or more "central" time servers (depending on how many >> clients in the region), those regional servers all peered to each other, and >> clients in the region using the regional server. > That was my thought as well, where the servers are central to their region. > >> >> Ask this security guy if a fiber cut affecting the central office is >> expected to produce PCI noncompliance. You *really* want to spread the >> "central" servers out for redundancy. > > That's the problem I pointed out. If the connection to the corporate offices > goes down, anywhere along the line, we are out of PCI compliance. He said > "that's unlikely to happen". > >> (Also, I note you said two corporate offices; two master NTP servers is >> pretty much the worst possible configuration because they can easily >> diverge. One if you must, otherwise 3 or more.) > > I did forget a detail, each corporate office will have 3 NTP servers to > protection against failover issues. I did get him to agree to that.
I’d say that you need to know what systems are PCI scoped, and that normally, the ones w/ card holder data are the more important ones. I suspect your commerce servers are the ones that are more likely to need to be on time and online, since you’ve probably got actual datacenter & UPS. Corporate is normally less important, and might even be out of scope... Matthew Barr mb...@mbarr.net c: (646) 727-0535
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
