Éric Leblond, Vincent Deffontaines, Xavier Desurmont
This project's aim is to identify and strictly authenticate Users' flow at the IP filter level.
We work on researching new authentication capabilities at the scale of networks. More information, as well as some of our concepts and results are available from our article : eficaas_01.pdf.
This project's first aim is about network security modelization. Though, this project also brings up many interesting functionnalities that are consequences of our basic concepts.
IP filter can now be aware, for every datagram passing through, of not only User's ID, but also the application and Operating system they are using. Hence, rules like :
Allow John Smith connect to our webserver only if he is running Debian Sarge and Firefox 0.75Allow the Accounting group connect to our accounting server, be they connected on our LAN or from home.We easily implement a pluggable, open, protocol-independant Single Sign On solution. As opposed to many SSO implementation, our design allows for SSO on just any protocol, and includes mobile/remote Users needs too.
Our design includes real per User quality of service, meaning you can limit a User's network bandwidth globally, even if he logs on at several points of your network.
Our implementation uses (amongst others) a LDAP connector that lets you use your User's directory to authenticate all Users' flows without heavy modification of your LDAP schemes.
Our work on GNU/Linux and other Free platforms is released under the GNU General Public License v2. Source code, documentation, etc. available at http://www.nufw.org/. This project is fully available for testing, and deployment.
The following articles are available for download :