|
Scalability and Manageability
Hand-in-hand with security is manageability. It doesn't matter how powerful your authentication system is if your access-control strategies are weak. To make discussion groups private, you must control which authent
icated users may enter a particular forum. With varying access levels, a user can read or post to a specific group or be blocked completely.
INN restricts group accesses on a per-user basis. With user-centric access control, you restrict users to certain areas, rather than specifying valid users for a group. A subtle distinction, user-centric access control means you must change users' access lists every time your access policies are changed, multiplying the chances that a user with a poorly implemented ACL can gain access to restricted groups.
A more efficient way to maintain access control is at the news-group level. By specifically including users or groups of users, news-group controls offer a clearer view of who has access. The ability to create groups of users makes it easy to create project teams or other organizational units.
Netscape's News Server provides a convenient Web-based interface fo
r managing users, user groups and news group ACLs. Brown's Grouper service farms out the task of
tracking users groups to a powerful directory service. By adding a Kerberos proxy authentication system, Brown University's solution is the only one to reach out to existing network resources. Central Kerberos authentication and Grouper group management make this the most scalable solution by far.
All the Features Money Can't Buy
Commercial products such as NetManage's Forum Server and Netscape's News Server include support for private news groups, but we found this support doesn't integrate well with existing authentication systems. Each product maintains a local user database for authentication and provides convenient GUI-based administration tools. The beta copy of NetManage's Forum Server includes a Windows-based server management utility; Netscape extends its Web-based management motif. These management tools may make life easier for an administrator, but they won't help if you have to manually enter thousands of accounts to support private news groups.
If implemented on a departmental
scale, Netscape's and NetManage's news servers should provide perfectly manageable ways to support private discussion groups on a Usenet site. However, they aren't suitable for an enterprisewide intranet solution.
A New Port of INN
When faced with the problem of supporting private news groups in its campuswide environment, Brown University chose to integrate authentication with its existing network authentication system. Since Kerberos provides a networkwide authentication service, adding Kerberos support to NNTP was the logical solution to the problem of user management. Unfortunately, Kerberos doesn't provide a mechanism for creating user groups. Brown used a set of patches to INN that integrates Kerberos as an authentication system and a separate service, Grouper, to manage ACLs. The result is a powerful, yet specialized system for private news groups.
Although difficult to implement, this port of IN
N is the most scalable of the servers we tested. Since it is the first solution integrat
ed with an external authentication system, creating private news groups is as simple as assigning access to existing lists of users or logical groups.
Brown's INN provides two levels of Kerberos authentication: a fully Kerberosized NNTP session and proxy authentication using the standard NNTP authinfo protocol. This allows any NNTP client to transmit a user name and password, which is then used to obtain a Kerberos ticket-granting-ticket (TGT) on the server side. Unfortunately, this method transmits the user's name and password across the network in clear text, compromising the Kerberos security model.
We found the result to be a functional solution for private news groups, but implementation was anything but straightforward. Like most Unix software, it requires recompiling the INN server after applying Brown's source-code patches. However, documentation is slim, which made configuration difficult. Although it is the only product that adequately supports private news groups on a large scale, in Brown'
s own description, it's a niche product. Obviously, it's not a good solution if your environment hasn't invested in Kerberos as an authentication system. Also, it requires maintaining user groups through the Grouper service.
The Future
Although current offerings for authentication are rather limited, NetManage, Netscape and Microsoft say they have plans for supporting external authentication and access control systems. Both NetManage and Microsoft plan to support NNTP authentication through Windows NT domains. This is a strategic solution if your organization has standardized on NT. Netscape has a different strategy. Its news and mail servers will be the first to be integrated with X.500 directory services through the Lightweight Directory Access Protocol (LDAP).
Dan Backman can be reached at dbackman@nwc.com.
|
REPORTS
ANALYTICS
Follow 
