NuFW

h1. Frequenly asked questions

h2. Global questions

h3. I love NuFW, but is it available as a hardware firewall?

NuFW is a Free/Opensource project. This means you can install it, configure it, and maintain it yourself, if you have knowledge and time to do so. The INL team, who invented the concept of ID-based firewalling, and has developed NuFW, also distributes the EdenWall firewall appliance, which requires little knowledge and time for installation as well as for maintenance. The EdenWall hardware appliance provides all features of the NuFW project.

h3. How different is NuFW from a transparent proxy ?

A transparent proxy works only for the protocols it knows about. With NuFW, any protocol can be authenticated (as longs as Netfilter has a connection tracking module for it).

The contra is that, with NuFW, client are directly connected to server which is not the most secure way to go. It is however possible to use NuFW together with a proxy for some protocols.

h3. How different is NuFW from 802.1X?

We found a couple of strong differences :

Firstly, what 802.1X is to bind a computer (MAC address) to authentication of a user. This is, formally, a fuzzy thing to do, because a user is something very different from a MAC address. Practically, that binding is not very accurate : for instance, it fails on multi-user systems, such as Citrix, Terminal Server, Linux, or any Virtualization solution, because these systems host several users on the same MAC address. NuFW’s model is very different : we strictly recognize users, and make no binding with IP or MAC addresses.

Furthermore, 802.1X sets up a network port, associated to a user, in a VLAN. What NuFW does is very different : making a fine difference from a user to another : and setting network permissions, according to each user identity. NuFW also provides fine grained logging, of each network connection passing through.

802.1X was not designed to bring fine grained filtering, nor to work with user identity matters. Whether you use 802.1X or not, your computer is bound to one, single VLAN. In the real world, many users are members of several groups in the user directory, and the network permissions each user should be granted can be much more complete than a mapping on a VLAN. NuFW solves this problem elegantly, while 801.1X is unable to address it.

Last, NuFW is a firewall : it works without a need for changing your entire network infrastructure : NuFW works with any switch/router, and even on VPNs !

h3. How different is NuFW from Checkpoint FW/1 and Netscreen ?

With Chekpoint FW/1 and Netscreen, a user first authenticates by HTTPS and authorisation are set based on the IP address of the machine which initiated the connection. This is called a priori authentication, and it is not very secure. Both of those systems are not able to differenciate users connected on the same machine (Terminal Server, Citrix, ...) or an entire network hidden behind network address translation. Thus, the credential of a person connected on a multiuser machine is the sum of the credential of all people connected to the computer. NuFW identifies and authenticates the source user of each and every connection on an individual basis, and performs no a priori approximation or supposition.

With NuFW, you can have multiple users using the same computers without any interferences, and you cannot be cheated by NAT. So NuFW is far better in authenticating users in a multiusers environnent.

Oh, and yes, we nearly forgot, NuFW is Free :)

h3. How different is NuFW from authpf ?

With authpf, a user authenticates when he connects to the gateway through ssh and rules are added at this moment. Thus there are two points :

# The rules are added once and cannot change dynamically after the user has logged in.

# Rules are linked to the IP the user has connected from. Thus, authpf is not resistant to either multiple logins on the same machine or either network address translation that can mask a ton of users behind an IP.

With NuFW :

# Rules can be changed dynamically at any time (with the limitation that active (established, related) connexions are not closed)

# NuFW is tolerant to computers with multiple simultaneous users because each user authenticates his own connexions. NuFW is resistant to NAT because the real source IP address is contained in the encrypted authentication packet.

h3. What’s the difference between NuFW and a VPN system ?

A Virtual Private Network is often a meant to authenticate users. The authentication is often done by an SSL certificate and a VPN has the advantage to encrypt to datas exchanges. But, a VPN has the following disavantages which NuFW can bring :

* VPN authentication does not work with multiusers computers (well, it *works*, but does not differentiate one user from another)

* VPN encryption is not necessary if users are in a trustable environnement

* In a enterprise VPN linking different sites, authentication by VPN brings a double encapsulation which can overload link capacity by increasing packet size.

* VPN does not really guarantee the identity of users because user’s computer can act as a router for other computers

On the other hand, the VPN solution has these advantages over NuFW :

* it can encrypt network flows with high security. NuFW isn’t meant to encrypt users data.

Thus, in a enterprise VPN, NuFW can be used to achieve authentication. It is perfectly sane and makes sense to run NFW on a VPNed network. Those functionnalities are orthogonal.

h3. How does NuFW react to Network Address Translation ?

There are two kinds of NAT : Source NAT and Destination NAT. Source NAT is used when source IP of the first packet of a connection is modified, Destination NAT is used when the Destination IP of the first packet of a connection is modified.

h4. How does NuFW react to Destination Network Address Translation ?

NuFW cannot cope with Destination NAT because, on one hand, the packet sent to the gateway is changed before it reaches NuFW, on the other hand, the data describing the packet contained in the user authentication packet are not (and cannot be) changed by the NAT. However, it is possible and secure to chain a Nufw gateway with another gateway and perform Destination NAT on the second gateway. So NuFW and Destination NAT are not compatible but Destination NAT can’t be used to cheat NuFW.

h4. How does NuFW react to Source Network Address Translation ?

NuFW works fine with Source NAT, provided Source NAT is performed on the same machine as NuFW, or another machine, but not a host between NuFW server and the client.

h3. Does NuFW gateway run on *BSD ?

We have had a look at packet filtering implementations on OpenBSD and FreeBSD. OpenBSD now ships with pf, and FreeBSD ships with ipfw, ipf and pf, and FreeBSD people seem to recommend pf for its superior capabilities.

From our looks at pf, there is currently no mechanism to deport a packet’s decision into userland, through a socket (like netfilter’s QUEUE target allows, together with libipq). So, for now, we think there is no way we can cleanly port NuFW to *BSD.

We think the nuauth daemon should compile and run on *BSD with no special things to change, though (this has not been tested yet, that we know of). We feel concerned about *BSD, and if we find that NuFW can be ported to those systems, we will work on it.

h3. What protocols does NuFW support?

For now, the NuFW system is able to authenticate TCP and UDP protocols. On client side, only the Windows client supports UDP for now. All clients support TCP. We are working on designing a client-side architecture on Linux/UNIX/BSD/MAC to be able to authenticate UDP. Furthermore, some flows, especially file sharing flows (like NFS or SMB) are emitted by the client machine’s kernel, so they cannot be formally authenticated : it is the kernel that opens those connexions. In some cases, one given connection is even used by several distinct users of a given share.

h2. About NuFW clients

h3. Does NuFW client work on *BSD ?

NuFW clients are available for FreeBSD and Mac OSX. They have not been tested on other *BSD but they should work as the API is unchanged.

h3. Does a NuFW 2.0 client work on a NuFW 1.0 server (and vice-versa) ?

No, protocol has changed between 1.0 and 2.0 and there is no compatibility.