Bringing authentication to Level 3

Have you ever thought of how much efficiency your firewall would gain if it could incorporate per-user filtering? If IP filters could use userID as "just another" filtering criteria?

Any connexion passing through the filter could be associated with its originating user, and this could even break the old, vague, insecure assumption "1 IP address = 1 user".

Hopefully at this point you are thinking "This would be nice, but how could it be achieved?". We thought of it, too, and have a solution to present.

The benefits of such a tool are quite large, and surprisingly of large range : very fine implementation of the security policy, user activity auditing, per user QoS and routing... and even a very elegant, protocol independent Single Sign On as a side effect.

About the costs, the price to pay would be a small piece of software running on each computer of your LAN, performing user authentication on your user base.

We wrote such a solution, combining the IP filter (center of networks) and the Users directory (center of organisation) ; it is called NuFW, runs on Linux (client part runs on windows, too), and is available at http://www.nufw.org/. We also wrote an administration tool named Nuface, and a log auditing interface, named Nulog.

You are welcome to give these tools a try and to provide us feedback and remarks.