> 1: How insecure is the inn software?
One could do worse than INN. INN is very nicely configured to
do all its work as the news owner. That's good design. The server
process is cleanly written and well-designed. The bad news is that
there are a number of shell scripts that are useful for processing
news, which means that chrooting the whole thing would be tough,
since you've got expire and all that stuff to worry about. Just
chrooting innd doesn't buy you anything if someone can get you
with a data-driven attack of some sort (like the recent '~' problem
in the control message handler) We looked at hacking on INN enough
to make it run entirely under chroot, but that seemed like a lot
> 2: In light of the answer to the previous question, where should
> we run this puppy, if at all? Inside? Outside?
We run our news on our fileserver inside, and use a simple
plug-board relay to "tunnel" all our NNTP traffic through our firewall
to the internal host that runs news. There are some advantages and
disadvantages to this approach, namely:
+ News running on an internal machine is a lot easier to
manage -- if disk overflows or expiry needs to be
tweaked, there's no need to log into the firewall
bastion host every time you need to do news stuff.
- News running on an internal machine means that if there
is a data-driven attack that lets someone do something,
they have done it on the internal machine.
This has its own pros and cons:
Pro: At least the firewall bastion host hasn't been
compromised! If that happened we'd really be
Con: Our internal machine is not exactly "disposable"
and having someone do something bad to it is
not pleasant to contemplate.
Pro: Even if the attacker can do something to the
internal machine, there's still a firewall
between them and it, and hopefully that'll
make the attack harder to exploit.
+ News running on an internal machine means the firewall
remains a "black box" that you don't have to spend
much time managing.
> 3: Has anyone done this??