NuFW

NuFW is a software package that extends Netfilter, the Linux kernel-internal packet filtering firewall module. NuFW adds authentication to filtering rules. NuFW is also provided as a hardware firewall, in the EdenWall firewalling appliance. NuFW has been restarted by the FFI and renamed into UFWI.

WWW Official Site

Introduction

NuFW / UFWI is an extension of Netfilter which brings the notion of user to IP filtering.
NuFW / UFWI can:

Authenticate any connection that goes through your gateway or only from/to a chosen subset or a specific protocol.
Perform accounting, routing and Quality of service based on users and not simply on IPs.
Filter packets with criteria such as application and OS used by distant users.
Be the key of a secure and simple Single Sign On system.

Principles

NuFW / UFWI refuses the idea of IP user as an IP address can easily be spoofed. It thus uses
its own algorithm to perform authentication. It depends on two subsystems: Nufw which is connected to Netfilter and Nuauth
which is connected to clients and Nufw.
The algorithm is the following:

A standard application sends a packet.
The Nufw client sees that a connection is being initiated and sends a user request packet.
The Nufw server queues the packet and sends an auth request packet to the Nuauth server.
The Nuauth server sums the auth request and the user request packet and checks this against an authentication authority.
The Nuauth server sends answer back to the Nufw server
The Nufw server transmits the packet following the answer given to its request.

This algorithm realizes an A Posteriori authentication of the connection. As there is no time-based association, this ensures the identity of the user who sent the packet.
NuFW is the only real Authentication firewall, as it never associates a user with his machine.

Awards

2007: Lutèce d'Or, Best Innovation
2005: Les Trophées du Libre, Security