NuFW evolutions

1.0 branch stable

After intensive work on developpement branch of NuFW, 1.0 was released in march 2005. It has since been installed on intensive, production environments.

Protocol 2

One of the most meaningful improvements in developpement branch is the protocol version 2 :

 A more evolutive protocol which will be able to support features like application announcement (and thus per application filtering)
 Authentication is performed via SASL
 Encryption is performed via TLS
 It now uses username and not userid

A powerful cache system

 User request is only performed at the authentication stage
 A cache has been implemented at the acl decision stage. Benches show dramatically increased performance at no security cost.

A benchmark with apache bench shows impressive results. The following graph shows the response time in ms against iteration during an apache bench with 200 tries and 200 concurrent workers :

Even if this is one of the best possible cases (the cache is fully efficient here) it shows how well NuFW 0.9 behaves against NuFW 0.8. Furthermore it should correctly reflect the evolution of performance for a standard DMZ protection scheme.

miscellaneous improvments

 Encryption of communications between nufw and nuauth.
 Support for several Nufw gateways on the same nuauth.
 Application match support.
 No client mode : "degraded" authentication can be performed without client on user’s computer.