CORPORATE.NET

News Servers? I'll Take Intranet Groupware For $1,000

As an Internet service, Usenet news links millions of people worldwide. You can take Usenet news and add security to make your news groups private, thereby turning Usenet into a standards-based intranet discussion tool and adding value to an existing Internet resource. You'll also make the boss happy by supporting this quarter's favorite buzzword: "intranet." This all seems easy enough. Now, for the $1,000 question: Is the technology ready for use in an enterprisewide setting?

The key issues regarding deployment of private discussion groups on a Network News Transport Protocol (NNTP) server are security and manageability. Private discussion groups can serve internal project and management teams, and may hold sensitive corporate information. Although m ost NNTP servers support both local and Internetwide discussion groups, they lack built-in security. Unlike the majority of network services with user-level access control, m ost NNTP servers rely primarily on address-based security. This is a convenient way of restricting readers to a local domain, but it is a stumbling block for implementing private news groups. What's available then for the enterprise? Let's see.

We tested four news servers at our Syracuse University lab with an eye on security, access control and management. The de facto standard news server throughout the Internet, INN 1.4, is a freely available Unix-based program. From the commercial sector, we tested Netscape Communications Corp.'s News Server 2.0 and a beta copy of NetManage's Forum Server. Both advertise support for private news groups out of the box. We also implemented a version of INN modified at Brown University to support Kerberos authentication and an external group directory system called Grouper.

We found that these servers lack the scalability and management features necessary for an enterprisewide environment. While they support the same level of user authentication, none is truly ready fo r a large-scale production environment. Although nearly every news reader supports user-level authentication through NNTP's authinfo protocol, there is no standard for authenticating users on the server side. To support user authentication through a back-end database of user names, passwords and access permissions, the servers require administrators to support a separate user database.

Implementing any network service means devoting resources to manage it, begging the question, "Do the benefits outweigh the costs?" Private discussion forums can be powerful tools for group collaboration, but there is a real price in hardware, software and support when implementing the service. Will you have to maintain yet another set of user accounts?

Ideally, a secure news server should authenticate users and get access control lists (ACLs) from a net workwide security service. We were dismayed by the lack of support for common authentication and directory services such as Kerberos, DCE, Novell Directory Services (NDS ), Microsoft Corp.'s NT Domains or Sun Microsystems' Network Information System (NIS) and NIS+. Of the servers we tested, only the version of INN modified at Brown University supports authentication.

Security Originally Usenet was a public medium, so many of the traditional security features are limited to controlling access via network address or by using simple password schemes. Private discussion groups add a level of security for news servers. There are two methods to help keep private information out of the hands of unauthorized users: authentication and access control. You need to evaluate your privacy needs and decide on an appropriate level of security for your situation.

An authentication system is responsible for verifying a user's identity when he or she accesses a resource, in this case, the news server. The system can range from no security at all to one that is very complex with several levels. Once an authentication system is in place, the server must support access controls at t he discussion-group level. This limits membership in the group.

There are three levels of security that can be practically integrated with NNTP: network-level, user-level and token-based access control.

Network-level access control is available in NNTP servers. This control limits access to a range of network addresses, in this case, IP addresses. Although appropriate for limiting access in a public forum to local clients or for creating open, local news groups, network-level control is not adequate by itself for maintaining private news groups.

User-level authentication is the most familiar security model. Like the majority of security systems for network services, it relies on user names and passwords. The servers we tested support NNTP's standard authinfo protocol, which is well-supported among news readers.

Finally, token- or ticket- based authentication systems, such as Kerberos, create an added level of security. Instead of passwords, these systems use automatic authentication through softw are tokens or by one-time passwords with the help of credit card-sized password generators.

Although they are appealing in a security-conscious environment, token-based systems challenge the simplicity of news-based discussion groups. They require "extending" the NNTP protocol, so they are nonstandard. Although we found a Kerberosized version of NewsWatcher for Macintosh (modified by Brown University), it wasn't designed to be used outside of Brown's network.