 |  |
16.9. Network News Transfer Protocol (NNTP)
NNTP is the service generally used to transfer Usenet news across the Internet. A news server is the place where Usenet news flows into and out of your organization, and which your users access (via news clients) to read and post news. News servers generally speak NNTP among themselves so they can transfer news between sites. In addition, most news clients use NNTP to access news servers. (Traditionally, Unix-based news clients read news from local files, and some sites may still be using older clients that do this.)There are a number of freely available news servers, including B-News, C-News, and INN. There are also number of commercial servers, which claim to have better performance.
These days, not all sites choose to offer news. If you do not have your own news server, you may wish to allow your users to contact external NNTP servers. The risk involved is relatively low; although NNTP has been used to attack news servers, there are no known serious problems with the NNTP protocol for clients. NNTP does, of course, provide another way for information to flow into and out of your organization, where the inbound information may include undesirable things like viruses, illegitimate copies of copyrighted information, and data that is illegal to distribute in some jurisdictions (including hate speech and pornography), and the outbound information may include your organization's secrets. These are the same risks found in protocols like HTTP and SMTP, and an NNTP client is vulnerable to the same data-driven risks as an electronic mail client, including the risks associated with handling of MIME- and HTML-enhanced messages.
16.9.1. Packet Filtering Characteristics of NNTP
NNTP is a TCP-based service. NNTP servers use port 119. NNTP clients (including servers transferring news to other servers) use ports above 1023. Some news servers (in particular, INN) allow you to specify other port numbers to use for server-server transactions, which can be useful for a number of reasons. In particular, it allows you to separate server-server transactions from server-reader transactions and put separate restrictions on them. This can be particularly useful on heavily loaded servers that may otherwise have difficulty receiving news during peak reading times.| Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | ACKSet | Notes |
|---|---|---|---|---|---|---|---|
| In | Ext | Int | TCP | >1023 | 119 |
[68]
|
Incoming news |
| Out | Int | Ext | TCP | 119 | >1023 | Yes | Incoming news responses |
| Out | Int | Ext | TCP | >1023 | 119 | [68] | Outgoing news, or internal client contacting external server |
| In | Ext | Int | TCP | 119 | >1023 | Yes | Outgoing news responses, or external server responding to internal client |
[68]ACK is not set on the first packet of this type (establishing connection) but will be set on the rest.
16.9.2. Proxying Characteristics of NNTP
NNTP is a store-and-forward protocol, capable of doing its own proxying. It is also easy to proxy as a straightforward single-connection protocol. TIS FWTK provides a generic proxy, plug-gw, which is frequently used with NNTP, as well as modified user procedures (the NNTP connection is directed to the proxy server, which redirects the connection based on the client address). It would be easy to modify clients to use a generic modified-client proxy like SOCKS. In addition, the clients provided with web browsers (including Netscape Navigator and Internet Explorer) are capable of using SOCKS.
16.9.3. Network Address Translation Characteristics of NNTP
NNTP does not use embedded IP addresses and will work with network address translation systems. However, NNTP servers may use the source IP address and port of connections as an authentication mechanism. In addition, news articles will contain hostname information, which may be either a name provided by the client that submits the article, or a name gotten by resolving the source IP address, or both. This may give away information that you don't want to make public. In addition, running NNTP through network address translation may cause the NNTP server to decide that you're lying about your host information (because the name provided by the client and the name gotten by resolving the source IP address don't match).
16.9.4. Summary of Recommendations for NNTP
- Use two NNTP servers -- have your users read news from an internal NNTP server, and have the internal NNTP server exchange news with a bastion host that talks to external sites.
- Allow external NNTP connections only from the sites you exchange news with.
