Frequently Asked Questions
Global questions
How different is NuFW from a transparent proxy ?
A transparent proxy works only for the protocols it knows about. With NuFW, any protocol can be authenticated (as longs as Netfilter has a connection tracking module for it).
The contra is that, with NuFW, client are directly connected to server which is not the most secure way to go. It is however possible to use NuFW together with a proxy for some protocols.
How different is NuFW from Checkpoint FW/1 and Netscreen ?
With Chekpoint FW/1 and Netscreen, a user first authenticates by HTTPS and authorisation are set based on the IP address of the machine which initiated the connection. This is called a priori authentication, and it is not very secure. Both of those systems are not able to differenciate users connected on the same machine (Terminal Server, Citrix, ...) or an entire network hidden behind network address translation. Thus, the credential of a person connected on a multiuser machine is the sum of the credential of all people connected to the computer. NuFW identifies and authenticates the source user of each and every connection on an individual basis, and performs no a priori approximation or supposition.
With NuFW, you can have multiple users using the same computers without any interferences, and you cannot be cheated by NAT. So NuFW is far better in authenticating users in a multiusers environnent.
Oh, and yes, we nearly forgot, NuFW is Free :)
How different is NuFW from authpf ?
With authpf, a user authenticates when he connects to the gateway through ssh and rules are added at this moment. Thus there are two points :
1. The rules are added once and cannot change dynamically after the user has logged in. 2. Rules are linked to the IP the user has connected from. Thus, authpf is not resistant to either multiple logins on the same machine or either network address translation that can mask a ton of users behind an IP.
With NuFW :
1. Rules can be changed dynamically at any time (with the limitation that active (established, related) connexions are not closed) 2. NuFW is tolerant to computers with multiple simultaneous users because each user authenticates his own connexions. NuFW is resistant to NAT because the real source IP address is contained in the encrypted authentication packet.
What’s the difference between NuFW and a VPN system ?
A Virtual Private Network is often a meant to authenticate users. The authentication is often done by an SSL certificate and a VPN has the advantage to encrypt to datas exchanges. But, a VPN has the following disavantages which NuFW can bring :
VPN authentication does not work with multiusers computers (well, it *works*, but does not differentiate one user from another)
VPN encryption is not necessary if users are in a trustable environnement
In a enterprise VPN linking different sites, authentication by VPN brings a double encapsulation which can overload link capacity by increasing packet size.
VPN does not really guarantee the identity of users because user’s computer can act as a router for other computers
On the other hand, the VPN solution has these advantages over NuFW :
it can encrypt network flows with high security. NuFW isn’t meant to encrypt users data.
Thus, in a enterprise VPN, NuFW can be used to achieve authentication. It is perfectly sane and makes sense to run NFW on a VPNed network. Those functionnalities are orthogonal.
How does NuFW react to Network Address Translation ?
There are two kinds of NAT : Source NAT and Destination NAT. Source NAT is used when source IP of the first packet of a connection is modified, Destination NAT is used when the Destination IP of the first packet of a connection is modified.
How does NuFW react to Destination Network Address Translation ?
NuFW cannot cope with Destination NAT because, on one hand, the packet sent to the gateway is changed before it reaches NuFW, on the other hand, the data describing the packet contained in the user authentication packet are not (and cannot be) changed by the NAT. However, it is possible and secure to chain a Nufw gateway with another gateway and perform Destination NAT on the second gateway. So NuFW and Destination NAT are not compatible but Destination NAT can’t be used to cheat NuFW.
How does NuFW react to Source Network Address Translation ?
NuFW works fine with Source NAT, provided Source NAT is performed on the same machine as NuFW, or another machine, but not a host between NuFW server and the client.
Does NuFW gateway run on *BSD ?
We have had a look at packet filtering implementations on OpenBSD and FreeBSD. OpenBSD now ships with pf, and FreeBSD ships with ipfw, ipf and pf, and FreeBSD people seem to recommend pf for its superior capabilities.
From our looks at pf, there is currently no mechanism to deport a packet’s decision into userland, through a socket (like netfilter’s QUEUE target allows, together with libipq). So, for now, we think there is no way we can cleanly port NuFW to *BSD.
We think the nuauth daemon should compile and run on *BSD with no special things to change, though (this has not been tested yet, that we know of). We feel concerned about *BSD, and if we find that NuFW can be ported to those systems, we will work on it.
What protocols does NuFW support?
For now, the NuFW system is able to authenticate TCP and UDP protocols. On client side, only the Windows client supports UDP for now. All clients support TCP. We are working on designing a client-side architecture on Linux/UNIX/BSD/MAC to be able to authenticate UDP. Furthermore, some flows, especially file sharing flows (like NFS or SMB) are emitted by the client machine’s kernel, so they cannot be formally authenticated : it is the kernel that opens those connexions. In some cases, one given connection is even used by several distinct users of a given share.
About NuFW clients
Does NuFW client work on *BSD ?
NuFW clients are available for FreeBSD and Mac OSX. They have not been tested on other *BSD but they should work as the API is unchanged.
Does a NuFW 2.0 client work on a NuFW 1.0 server (and vice-versa) ?
No, protocol has changed between 1.0 and 2.0 and there is no compatibility.
NuFW installation
Where can I find answers to my technical questions on NuFW ?
A FAQ is available on software.inl.fr.
Where can I find link to all documentation relative to NuFW ?
All documentations and link to documentation can be found on this page on software.inl.fr.