It is warmly recommanded to put the nuauth
in a protected place to ensure the security of
communications between nufw and nuauth[1].
As the firewall policy relay on the answer of nuauth, is it good to check that
the nuauth server is trustworthy. To do so we can ask nufw to check the certificate provided
by nuauth during the TLS negotiation. This is done by using the -a at start
of nufw followed by the name of the certificate authority file.
With this option set nufw will check the presence of a signed certificat
on nuauth side.
You can even run nufw in strict TLS mode using -S parameter. We highly recommend
to use this option. It means nufw will not start if your certificate is:
Not verifiable against an authority
Invalid
Revoked
Without signer
With a signer that is not a CA
With an insecure algorithm (if GnuTLS is compiled with its support)
Not yet activated
Expired
You can restrict both the number of connections a given user can start, either on any IP address or per IP address.
nuauth_single_user_client_limit: enforce the number of connections a user can start
nuauth_single_ip_client_limit: enforce the number of connections per IP a user can start
On client side, system needs to be trustworthy if you want to perform valuable application and OS filtering. You must never forget that it is the application on client side which tells the application name as well as the operating system name and version: these informations CAN and WILL be spoofed if a malicious user installs a modified NuFW agent.
This warning needs to be taken into account but one can not forget this feature exists to secure flows that an administrator would have to keep open on a standard system[2].
Thus, the value of application and os filtering depends on the confidence you have on the system which issues the authentication. On a secured system where users can not install software, this sort of filtering is "quite secure".
If your ldap server has support for TLS, you can setup nuauth to have the ldap acls checking module using ldap over SSL.
To do so, edit nuauth.conf and modify ldap port to 636 (ldaps):
ldap_server_port=636Next step is to edit /etc/ldap/ldap.conf to indicate which policy you want to use for SSL connection. If you only want to encrypt data, you can simply add to ldap.conf:
TLS_REQCERT neverThe recommanded setup is to fill in ldap.conf with the path to certificate authority. Your ldap.conf should look like:
TLS_CACERT /etc/ldap/cacert-ldap.pem TLS_REQCERT demandPlease note that you need to have a certificate that match precisely the hostname put in the
ldap_server_addr of nuauth.conf.
| [1] | Even if all flows are TLS encrypted |
| [2] | Please avoid an ABS effect : "we've got more security so we can break later" |