| NuFW: Single sign-on meets firewall |
Jan. 05, 2007
French open-source company INL has recently released the latest version of its next-generation firewall, NuFW 2.1.1.
NuFW starts, like most Linux firewall software does, on the foundation of the Linux kernel's Netfilter, a set of basic IP (Internet Protocol) hooks that allows kernel modules to register callback functions with the network stack. In most distributions, it's used with iptables to create generic Linux firewalls.
Where NuFW steers away from commonplace firewalls is by bringing the notion of user identity to the firewall's security rules. With most firewalls, the rules on what network ports are enabled or disabled is determined by the computer's network address. For example, you might let the PC with the address 192.168.0.100 have access to the IP port range 6881 to 6891 to make it work better with the BitTorrent file sharing protocol. With NuFW, the firewall permissions follow an authenticated user instead of a PC's address.
Thus, firewall filtering rules are not based on just computers, but also on users or groups, so that the security policy can be enforced for a user no matter where he or she is on the network. This also lends itself to marrying the firewall with an SSO (single sign on) authentication system.
NuFW does this by keeping a real-time, authenticated, connection tracking table in a MySQL or PostgresSQL database. This tracks each user's connection's IP parameters, identity, and the origin and state of this connection. This, in turn, can be used with an LDAP (Lightweight Directory Access Protocol) directory or an individual application, like Apache, which has an authentication module, Mod_auth_nufw, that works with NuFW, for SSO.
User-based firewalls are not new in and of themselves. Checkpoint FW/1 and Netscreen, for example, are commercial products that do this. The difference between these approaches and NuFW is that these use HTTPS and IP address-based authentication. With these, multiple users can access the secured network from a single multi-user system, or from behind a NAT (Network Address Translation) firewall.
If this sounds to you like a combination SSO and firewall system that duplicates some of the functionality of a VPN (virtual private network), you're right, it does. It does, not, however, encrypt datastreams, so it shouldn't be used as a VPN replacement.
NuFW may, or may not, work with NATs. If you're using Source NAT, where the source IP of the first packet of a connection is modified, NuFW will work. It won't work, without a lot of effort, when Destination NAT is used in situations where the Destination IP of a connection's first packet is modified.
That aside, however, NuFW makes an interesting, inexpensive approach to local and remote networking firewall security. The server program is composed of two daemons that can be put on different systems. In addition, the main daemon is heavily multithreaded, so it's a very scalable system. On top of that, it's a modular system, where both user authentication and the ACL (access control list) verification are performed via loadable modules. The GPLv2 program comes with system, ldap, dbm, and plaintext modules. User activity logging can be done via syslog, mysql, or postgresql.
On the PC side, users need to use a client program. For Linux, there's nutcpc, a command line interface program; nuapplet, a GNOME 2.x applet; and nuapp, a GTK 2.x application. Nuapp and nutcpc will also work with Mac OS X and FreeBSD. For Windows users, there's NuWINc, which is available from INL under a proprietary license from INL, a French open source service company.
The server program is available in Debian packages and as source code. The NuFW server is also available in Mandriva Corporate Server 4 with commercial support from INL, and the client is built into the latest versions of Mandriva Linux.
-- Steven J. Vaughan-Nichols
Do you have comments on this story?
Talkback here
NOTE: Please post your comments regarding our articles using the above link. Be sure to use this article's title as the "Subject" in your posts. Before you create a new thread, please check to see if a discussion thread is already running on the article you plan to comment on. Thanks!
(Click here for further information)
|
|
|
7 Advantages of D2D Backup
For decades, tape has been the backup medium of choice. But, now, disk-to-disk (D2D) backup is gaining in favor. Learn why you should make the move in this whitepaper.
4 Legal Reasons to Control Internet Access
The Internet is obviously a valuable resource for many organizations. However, many are exposed to legal liability concerns because they fail to control Internet access. Learn if you're safe in this white paper.
Rapidly Resolve J2EE Application Problems
Whether you are in the process of building J2EE applications or have J2EE applications already running in production, you must ensure that they deliver the expected ROI. Learn how in this white paper.
Load Testing 2.0 for Web 2.0
There are many unknowns in stress testing Web 2.0 applications. Find out how to test the performance of Web 2.0 in this white paper.
Build Better Games Online
For the game infrastructure providers, life is complex. Making money from games has become more complicated. Why? Find out in this white paper.
Building a Virtual Infrastructure from Servers to Storage
This white paper discusses the virtual storage solutions that reduce cost, increase storage utilization, and address the challenges of backing up and restoring Server environments.
Gaining Faster Wireless Connections with WiMAX
Welcome to what is quickly becoming the hyperconnected world where anything that would benefit from being connected to the network will be connected. Learn more in this white paper.
Is Your Desktop a Security Threat?
The new wave of sophisticated crimeware not only targets specific companies, but also targets desktops and laptops as backdoor entryways into those business’ operations and resources. Learn how to stay safe in this white paper.
Increasing SAN Reliability by 100 Percent
Storage area networks (SAN) are a strong part of storage plans. Learn how to increase your reliability and uptime by 100 percent in this case study.
|
|
|
|
|
news feed