Randy Bias <randyb @
# One thing that needs mentioning: I have been contemplating whether to move
# our News server from the Firewall to an internal host, but I've been torn
# because the of the security issues. The biggest reason I see for the move is
# that I'd like to have news groups for local Kalpana traffic but would prefer
# that the data not reside on the Firewall, but internally. News groups with
# proprietary information on the firewall sounds like a big security risk to me.
I think you're right; it _is_ a big security risk to have private
newsgroups on a bastion host. I generally recommend putting news on
an internal host for exactly that reason.
In most ways, NNTP is very similar to SMTP from a packet filtering
point of view. One of the key differences is that you might get an
incoming SMTP connection from anywhere, but you generally know in
advance who your incoming NNTP connections will be coming from:
whatever host or hosts you get your NNTP feeds from. You can thus set
up a peephole in your packet filtering to allow your NNTP feed site to
talk NNTP to your internal NNTP server, and vice versa.
Marcus Ranum (mjr @
com) suggested another alternative last year: an
NNTP "tunnel daemon" that runs on a bastion host and passes NNTP
traffic between your internal news server and your external feed site.
See the pub/firewalls/topics/nntp.Z file from FTP.GreatCircle.COM for
the code and discussion.
Brent Chapman | Great Circle Associates | Call or email for info about
COM | 1057 West Dana Street | upcoming Internet Security
+1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates