Aegis

High-Performance Zero Trust Network Controller

Aegis is a distributed, kernel bypass firewall designed to enforce Identity-Based Micro-Segmentation using eBPF technology. It is lightweight, efficient, and can be directly deployed in a router or edge gateway. Unlike traditional firewalls that rely on static IP rules, Aegis operates on a "Default Drop" posture, dynamically opening ephemeral network paths only after a user has authenticated via a secure Control Plane.

Designed for Network Security, Aegis bridges the gap between Identity Providers (IdP) and raw network enforcement. It transforms your network gateway into an identity aware enforcement point.

Where to use it

• Critical Infrastructure: Micro-segment sensitive assets like Databases, SSH Jump Hosts, and Internal Dashboards.
• Zero Trust Migration: Replace static firewall rules (IP-whitelisting) with dynamic, ephemeral access based on user identity.

How it works

1. Deploy: Run the Controller centrally and the Agent on your network gateway (router/server).
2. Configure: Define protected Services (IP:Port) and User Roles via the Admin UI.
3. Connect: Users authenticate via the Web Portal and click to "activate" a service.
4. Enforce: The Agent instantly updates kernel-level eBPF maps to allow traffic only from that user to that service for till the user is active.

Architecture

There are two components, Control Plane (User Authentication and Policy) and a Data Plane (Packet Enforcement).

1. Authentication: Clients access the Controller (in the Private Zone) to authenticate via a web interface.
2. Policy Dispatch: After a valid login, the Controller pushes a signed "session" to the Agent via gRPC.
3. Enforcement: The Agent (Gateway) updates its eBPF maps in the kernel, instantly allowing traffic from that specific user IP to the requested service.
4. Auto-Revocation: If the user becomes inactive, the Agent automatically purges the rule, closing the firewall hole.

Key Features

• Kernel Bypass Speed: Uses eBPF/XDP (C) to filter packets at the network driver level, occurring before the OS handles memory allocation.
• Distributed Design: Decouples the Control Plane (Go/gRPC) from the Edge Data Plane (Rust/libbpf-rs) for scalability.
• Granular Access Control: Enforces strict User IP -> Service IP:Port pathways. No broad network access is granted.
• Automated Lifecycle: The Edge Agent automatically revokes rules after 60 seconds of inactivity, preventing stale permissions.

Tech Stack

• Control Plane: Go (Golang 1.25), gRPC, SQLite.
• Edge Agent: Rust, libbpf-rs, Tokio, Tonic.
• Kernel Hook: C (eBPF XDP).

NOTE: frontend for this project was completly written by gemini.

Documentation & Setup

Aegis is split into two components. Refer to their respective directories for detailed build and configuration instructions.

Default login: username root, password root.

| Component | Description | Docs | | :--- | :--- | :--- | | Controller | The central authority handling authentication (SSO), policy management, and distributing rules to agents. | Controller Docs | | Agent | The edge node daemon running on routers/servers. It attaches eBPF programs to network interfaces and enforces rules. | Agent Docs |

Quick Start (Docker Compose)

For a local setup with Controller, Agent, and simulated Client/Service zones:

docker-compose -f deploy/docker-compose.yml up --build -d

Performance & Benchmarks

Aegis is optimized for extreme low latency environments and minimal footprint. Read detailed benchmarks results in Benchmarking Docs

Reproduce Benchmarks:

To run all comprehensive benchmarks (requires root for XDP hook):

cd agent
sudo -E cargo test -- --ignored --nocapture

or

sudo ./run_benchmarks.sh

Available Benchmarks:

1. Attack Scenario - Tests packet processing when all traffic is malicious (dropped)

   sudo -E cargo test benchmark_attack_scenario_dropped_packets -- --ignored --nocapture
   

2. Legitimate Traffic - Tests packet processing when all traffic is authorized (accepted)

   sudo -E cargo test benchmark_legitimate_traffic_accepted_packets -- --ignored --nocapture
   

3. Mixed Traffic - Tests realistic scenario with 50% legitimate and 50% attack traffic

   sudo -E cargo test benchmark_mixed_traffic -- --ignored --nocapture
   

4. Map Operations - Benchmarks eBPF map insert/lookup/delete performance

   sudo -E cargo test benchmark_map_operations -- --ignored --nocapture
   

5. Scalability - Tests performance impact of varying map sizes (100 to 5000 entries)

   sudo -E cargo test benchmark_scalability_varying_map_sizes -- --ignored --nocapture
   

Expected Result:

BENCHMARK: Attack Scenario (Dropped Packets)
Pre-filled session map with 5000 entries
 Generating 100 unique random packets...
 Map contains 5000 authorized sessions

 Running benchmark: 100 unique packets x 10000 repeats each
 ATTACK SCENARIO RESULTS
  Average Latency:  39.37 ns/packet
  Throughput:       25400051 packets/sec
  Map Size:         5000 sessions
  Packets Tested:   1000000 (all accepted)
  Status:           PASS (< 2µs)

To build the optimized binary and check size:

cargo build --release

Key Features:

• Random IP generation for realistic traffic simulation
• Pre filled maps to stimulate real world