[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] News Server



On Wed, 06 Nov 2002 09:55:40 +1300, you wrote:

> Henning Petersen Wangerin wrote:
> 
> >>Standard security policy is to disable non-essential 
> >>services, particularly when they are difficult or convoluted to protect. 
> >> News: just like NFS is difficult to protect - so you firewall it in - 
> >>end of story.
> >>
> >
> >Yeah, but if, as you say your self, your firewall block port 119 (in
> >and out) your server is still not able to get anything - alt least not
> >more than the user himself is able to get from the net.
> >
> 
> A workaround for this is to run your news server on a machine you can 
> control.  Allow *this* machine access to the 'Net with NNTP and then ;
> 
> DENY your terminal servers NNTP access to the 'Net
> ALLOW your terminal servers NNTP access to your News Server.
> DENY all other NNTP (port 119)

Sounds reasnable

> This will give you what you need, provided the users cannot hack the 
> server to get other groups.

- or the firewall
Nothing is stronger than the weakest link ;-)
But I think we agree.

> >Sure, but do you considder a php script running as a bbs-style
> >web-service more secure than eg INN?
> >
> >I cann't tell witch one is the most secure, and I double there are
> >many that will garantee you anything like that.
> >
> 
> There is a difference ;
> 
> If users can hack your PHP script then they can break your web server. 
>  Most PHP groupware-type applications are well tested, but if users *do* 
> crack it, they still don't have access to hazardous material.
> 
> If they successfully hack your News server - they only need to import 
> one group...  no question about it - and your name goes in the paper..  8-/

Yeah, but what about someone hacking your file-server, and storing
images there?

What I'm saying is that a combination of a firewall blocking _all_
port 119 (in _and_ out) and a news server _your_ control would not be
more insecure than a php script.

Even if the news-server was hacked, it wouldn't be able to get info
from the outside-world, so what's the problem?

> >I totally agree, but I don't see how a general solution as a bbs-board
> >contra a news-server make any diffence on your security.
> >
> 
> as per the example above.  If they break your PHP, your website will go 
> weird, or worst case, go down.  If they break your inn server, the 
> entire school network is flooded with high quality porn in 10 minutes 
> flat.  This will be international news (if you will excuse the pun), I 
> assure you.

Why we're taking of a 100% internal server, so the firewall will not
accept external connections - sure if you allow polling from external
servers, you _might_ have a posibility, but as long as it's local, and
your firewall stops 119 where should this "high quality porn" come
from?

> less, definately.  news savvy Kids *know* the names of the lists to 
> download from..  For the exercise, my Wife and I spent an hour (at home) 
> digging the web for access to xxx material.  We found there was plenty 
> of images that were not appropriate because of the context in which they 
> were portrayed.  However, we found near zero material that was high 
> quality porn - everything required a credit card number, or else it was 
> 80x120 pixels in 8 bits or less..
> 
> And then we duplicated our test on the newsgroups..   5 minutes later we 
> had 200+ images ready to download... and rapidly terminated that test...
> and permanently blocked nntp in and out.

Sure the newsgroups are widely open, and don't know your filters on
www, but there are plenty of sites also free and open on www.

> >If you want it, there is no problem getting it, I'm sure - and the
> >kids wanting it, surely knows where to get it - despite your filters. 
> >
> 
> at school, that is *our* problem.  I would like to safely let usenet in, 
> but I haven't found a solution.

I agree.

> >But as long as you don't let the big usenet come in, I really don't se
> >the problem in the porn on usenet. The kids will not have better or
> >worse access to that if, or if not you run a _local_ non-peering
> >news-server.
> 
> for sure.  If your NNTP server will not allow a client to subscribe, or 
> create a new newsgroup, and the peering side of it is shutdown 
> completely, and the config files are secure, AND the firewall blocks 
> port 119 in/out, AND you have a script running to monitor it, you are safe.
> 
> Maintain your awareness though - you have naked flame on one side, and 
> gasoline on the other.  It's a beeeeg risk..  And if someone breaks 
> it.... there's gonna be a hua[1] of a boooom!   with parts landing 
> everywhere..

Still I agree that til porn part of usenet has noting to do in the
schools, but I must admit I can't follow you on your general view on
the nntp as unsecure.

There are lots of user-groups running public news-servers more or less
open to the public with no problem - as long as they are not peered to
the global usenet-network everythink works fine.

> Sorry about the Lecture..  8-}  Call me paranoid...  8-)

Or maybee we're just facing differences in the point of view between
the US and Denmark ;-)


-- 
Venlig hilsen / Best regards
	Henning

 _H_P_C_o_n_s_u_l_t_    http://www.hpc.dk
 Skoletoften 9, Blans   http://www.turnsys.dk
 DK - 6400 Soenderborg





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]