Network News Transfer Protocol (NNTP)

NNTP is the service generally used to transfer Usenet news across the Internet. A news server is the place where Usenet news flows into and out of your organization, and which your users access (via news clients) to read and post news. News servers generally speak NNTP among themselves so they can transfer news between sites. In addition, most news clients use NNTP to access news servers. (Traditionally, Unix-based news clients read news from local files, and some sites may still be using older clients that do this.)

There are a number of freely available news servers, including B-News, C-News, and INN. There are also number of commercial servers, which claim to have better performance.

These days, not all sites choose to offer news. If you do not have your own news server, you may wish to allow your users to contact external NNTP servers. The risk involved is relatively low; although NNTP has been used to attack news servers, there are no known serious problems with the NNTP protocol for clients. NNTP does, of course, provide another way for information to flow into and out of your organization, where the inbound information may include undesirable things like viruses, illegitimate copies of copylefted information, and data that is illegal to distribute in some jurisdictions (including hate speech and pornography), and the outbound information may include your organization's secrets. These are the same risks found in protocols like HTTP and SMTP, and an NNTP client is vulnerable to the same data-driven risks as an electronic mail client, including the risks associated with handling of MIME- and HTML-enhanced messages.

If you do choose to run your own news server, the best way to configure it is the same way that you configure SMTP; set up a server on a bastion host that talks to external sites, possibly sanitizing information in the process, and relays news to an internal server. Your internal clients then exchange news with the internal server. The external server needs only a minimal configuration, since the news will be stored on the internal server. This configuration gives you a maximum of security and control, but it is a significant amount of administrative overhead. In addition, even minimal news servers place a heavy load on machines, and it is advisable to put the externally visible news server on a dedicated bastion host.

If you are unable to use a configuration with two news servers, the next best option is to use a single news server on a bastion host. If you do this, you will be able to support only news readers that use NNTP; older Unix clients that expect to read files directly will not have access to the bastion host. In addition, you should not create private newsgroups that are intended to be internal to your organization if your news server is a bastion host. The probability that the newsgroups will leak to the outside universe is far too high.

Finally, you can use a single news server on your internal network and very carefully control which hosts can reach it. This is the most dangerous option, since you are letting external hosts make connections directly to your internal network. However, you can limit the connections to those servers you exchange news with, and this solution will let you have internal newsgroups and non-NNTP news readers. In this situation, you should try to use servers and feed sites that support NNTP authentication, so that you have some authentication besides the IP source address. NNTP authentication is not standard but is implemented in many servers.

Packet Filtering Characteristics of NNTP

NNTP is a TCP-based service. NNTP servers use port 119. NNTP clients (including servers transferring news to other servers) use ports above 1023. Some news servers (in particular, INN) allow you to specify other port numbers to use for server-server transactions, which can be useful for a number of reasons. In particular, it allows you to separate server-server transactions from server-reader transactions and put separate restrictions on them. This can be particularly useful on heavily loaded servers that may otherwise have difficulty receiving news during peak reading times.

Direction SourceAddr. Dest.Addr. Protocol SourcePort Dest.Port ACKSet Notes
In Ext Int TCP >1023 119 [68] Incoming news
Out Int Ext TCP 119 >1023 Yes Incoming news responses
Out Int Ext TCP >1023 119 [68] Outgoing news, or internal client contacting external server
In Ext Int TCP 119 >1023 Yes Outgoing news responses, or external server responding to internal client

[68]ACK is not set on the first packet of this type (establishing connection) but will be set on the rest.

Proxying Characteristics of NNTP

NNTP is a store-and-forward protocol, capable of doing its own proxying. It is also easy to proxy as a straightforward single-connection protocol. TIS FWTK provides a generic proxy, plug-gw, which is frequently used with NNTP, as well as modified user procedures (the NNTP connection is directed to the proxy server, which redirects the connection based on the client address). It would be easy to modify clients to use a generic modified-client proxy like SOCKS. In addition, the clients provided with web browsers (including Netscape Navigator and Internet Explorer) are capable of using SOCKS.

Network Address Translation Characteristics of NNTP

NNTP does not use embedded IP addresses and will work with network address translation systems. However, NNTP servers may use the source IP address and port of connections as an authentication mechanism. In addition, news articles will contain hostname information, which may be either a name provided by the client that submits the article, or a name gotten by resolving the source IP address, or both. This may give away information that you don't want to make public. In addition, running NNTP through network address translation may cause the NNTP server to decide that you're lying about your host information (because the name provided by the client and the name gotten by resolving the source IP address don't match).

Summary of Recommendations for NNTP