NuFW
From Wikipedia, the free encyclopedia
| nufw | |
 |
|
| Developer: | NuFW Core Team |
|---|---|
| Latest release: | 2.0.17 / March 26, 2007 |
| OS: | Linux |
| Use: | Packet filtering |
| License: | GNU General Public License |
| Website: | www.nufw.org |
NuFW is a GPL extension to Netfilter (that is in the Linux kernel). It adds authentication to filtering rules.
[edit] Introduction
NuFW is an extension of Netfilter which brings the notion of user to IP filtering.
NuFW can :
- Authenticate any connection that goes through your gateway or only from/to a chosen subset or a specific protocol (iptables is used to select the connections to authenticate).
- Perform accounting, routing and quality of service based on users and not simply on IPs.
- Filter packets with criterium such as application and OS used by distant users.
- Be the key of a secure and simple Single Sign On system.
[edit] Principles
NuFW refuses the idea of IP == user as an IP address can easily be spoofed. It thus uses its own algorithm to perform authentication:
- A standard application sends a packet.
- The Nufw client sees that a connection is being initiated and sends a user request packet.
- The Nufw server queues the packet and sends an auth request packet to the Nuauth server.
- The Nuauth server sums the auth request and the user request packet and checks this against an authentication authority.
- The Nuauth server sends answer back to the Nufw server
- The Nufw server transmits the packet following the answer given to its request.
This algorithm realises an A Posteriori authentication of connexion. As there is no time-based association this ensure the identity of user which has emitted the packet.
