Howard B Owen writes :
>
>
> We are making a transition from a uucp/cnews based news system to
> nntp with INN. We live behind a firewall with a socks proxy server.
> We've talked about a couple of possible configurations:
>
> 1: News machine lives on firewall.
>
> _____________ ______ _____________
> | news server |<-NNTP-->| news |<--------NNTP-------->| news client |
> ----+-------- ---+-- ---+---------
> | ____|_____ _____|___
> | ____ / \ ____ / \
> | | | / \ | | / \
> internet ---| RA |---< DMZ net >---| RB |----< internal net>
> |____| \ / | | \ /
> \__________/ ---- \_________/
>
> 2: News machine lives on internal net:
>
> _____________ __________ _____________
> | news server |<-NNTP-->| socks gw |<----NNTP-------->| news server |<-nntp
> ----+-------- ---+------ ---+--------- |
> | ____|_____ _____|___ |
> | ____ / \ ____ / \ __v____
> | | | / \ | | / \ | |
> internet ---| RA |---< DMZ net >---| RB |----< internal net>-----|news |
> | | \ / | | \ / |client |
> ---- \__________/ ---- \_________/ |_______|
>
>
> The first setup uses unmodified inn software running on the
> firewall, perhaps in a chroot'ed environment. This is easier to
> configure, but violates the prohibition against running complex
> software on the firewall. More work goes in to modifying inn to work
> with the socks proxy stuff in setup 2, but it seems cleaner. My
> questions are these:
>
> 1: How insecure is the inn software?
>From my experience, INN seems to be pretty secure. I beleive that there has
been a few threads concerning this in the past. You can get the archive.
> 2: In light of the answer to the previous question, where should
> we run this puppy, if at all? Inside? Outside?
YES, Run it. I would reccomend Inside if you have a few feeds (<3), or
on the Wall if (>3 feeds). INN seems to have a pretty good configuration
setup to allow access control.
> 3: Has anyone done this??
yes, both. I started with the Outside, then used Marcus Ranum's proxy for nntp
when he posted it (just had to try it). Both seem to work well. The advantage
of the proxy is that it runs via inetd and thus can work under tcpd (for
logging purposes), and INN can put quite a load on your system if you have
a large feed and a lot of readers. I am sure I will get blasted for this, but
I feel that the security difference between the two options is not as big
a question ans the performance ramifications.
Just my .1
Phil
>
> Thanks for your time and attention.
>
> --
> Howard Owen, Sys Admin internet: hbo @
octel .
com
> Octel Communications Corporation BITNET: HBO @
VOODOO .
BITNET
> 890 Tasman Dr MS 05-04 Milpitas CA 95035 DECNET Internet: 45180::HBO
> "I am not a pay TV service!" Telephone: 408-321-6576 (work)
>
--
***********************************************************************
* Philip C. Cox | Word to live by: *
* | *
* SSDS, Inc. | "If you realize you aren't so wise today *
* pcc @
ssds .
com | as you thought you were yesterday, you're *
* VOICE: (510) 294-3557 | wiser today." *
* PAGER: (510) 734-7983 | - Mary Jess *
***********************************************************************
References:
|
|
