Slashdot Mirror
Linux on Nokia IP Series Hardware
Anonymous Coward writes "Michael Rash has written a howto for the Linux Journal on getting Linux to run on a Nokia IP 330. Now we can use a free firewall on a platform normally designed to run Check Point Firewall-1. In these troubling times where IT departments all across the landscape are trying to reduce costs, this will allow companies to say 'No' to expensive support contracts and upgrade costs and still maintain security without having to buy new hardware."
Go calculate something
a way to void that warranty
... a hardened freebsd. people have been removing IPSO and install fbsd for quite some time.
this is nothing new.
the nokia IP boxes run IPSO
now, why you'd buy a several thousand dollar p2-450 to begin with, i can't say.
vodka, straight up, thank you!
Well we'd better put an end to THAT!
Seriously though... What does the checkpoint hardware have to offer? And even if it has something wonderful, wouldn't it make more sense to use, say, FreeBSD on it?
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
The Nokia IP series hardware is nothing more than older AMD K6 processor with a small amount of RAM by todays standards. You'd be better off with a $300 PC from Wal-Mart and a couple network cards. Don't get me wrong, I love the fact that Linux continues to spread to new area, but it has to be put into perspective.
What is any different from this box and a normal linux box with serveral NICs? The reason people buy something from Nokia is to run Checkpoint. Why not just buy a 2u and put quad intel nics in it?
Okay first off. A Nokia IP330 isnt worth jack!
I have two of them, and basicaly they are a AMD 800mhz rack mountable device. Brand new...around $4,0000 without any Checkpoint software/licenses.
IDE drives, and some other typical stuff.
You would be better off buying a Dell PowerEdge rackmountable server with no OS. Or if you are using Checkpoint then save a bunch of money and skip the Nokia solution. Use checkpoint Secure OS (Redhat with lots of limitations) and put it on a Dell with 4 hour replacement. That alone would save you over $2K a year in support contracts with a Nokia Platform, and you get a faster firewall to boot!
So explain to me...WTF IS THE POINT!
Yes, Nokia IP330 are expensive solutions. And Yes so is Checkpoint. But anyone who compares Checkpoint to a Linux Free solution...well I would like to see a comparison of that. The Checkpoint firewall is a complete solution, with plugins to your security needs, and yes you ahve to pay extra cash to get it all to interact.
The linux solution is hodge podge and not even close to being remotely the same in either quality, or type of solution.
This would be like comparing MS Exchange to Sendmail. Yes, they both send emails. One is very expensive and has some nice options. The other sends mail well and some think its a better solution. The point being that with Exchange you are not paying for just an email server. It has lots of bells and whistles (dont blame exchange for viruses...Outlook yes, exchange no)
Same with Checkpoint! You are not just paying for a firewall.
So you are going to buy a expensive Nokia IP330 and install linux on it. Very amuzing....
Licensing and pricing suck , but it sure is nice to quickly push a firewall policy to several endpoints at once. Failover solutions are hella easy also.
(Although typing in "failover" on PIX is hella nice)
hey all, funny this came up now. I have already put openbsd on an ip440 (which is really a pc in a fancy case) but am looking at trying to get it into an ip650 as well this week.
:)
I'll take a look over the article for sure but if any one has pointers to info on getting linux or openbsd into an ip650 please, by all means, give this a reply.
Thanks
kosh
You find the debug port, download your OS and voila you've got Linux running!
Running an OS isn't something to crow about.
Neither is replacing a BSD with Linux.
I have been pwned because my
There is more to IPSO, the net OS that runs on the Nokia 330, than just a hardened freeBSD. The networking protocols are coded deep into the kernel, and have been highly optimized. To run a vanilla Linux on the box means that net routing will just become another application to the OS, along with the corresponding hit to performance.
I'm a network guy for a fairly large company. We use Linux all over the place, including firewalls. Frankly, I'm quite impressed; we've found it to be far more supportable than even the best commercial products.
But why would I want to run it on a Nokia box? Typically, firewall vendors sell the box's hardware and software support together. So, if you're not paying the software support, you have no hardware support. If you're using Linux to save costs, and it fries its power supply, you're SOL.
For the amount of CPU power that you get in the Nokia, you're better off if you buy a good, high-quality PC (We use Dell PowerEdge), throw a few NICs in it, and run Linux on it. The PC will be cheaper, include hardware support, and be easily field-servicable by any PC tech.
Last I heard, FP3 and FP4 (soon to be released FP4) have this ability.
:)
So its coming soon
Of course Checkpoint has been somewhat baby stepping for awhile with new improved options.
The Nokia IP series are just PCs in nifty-lookin' rack cases. And they're already running OpenBSD, right from the factory. Which, last time I checked, had far better security (and hence made a better FW) than GNU/Linux. If you don't like FW-1, just don't run it! Set up whatever BSD FW you prefer. Duh.
Also, given the very high cost of these boxes, and the fact that (with FW resource usage so low) they won't become obsolete any time soon, why not just leave it alone? How does this save anyone any money?
+++++++
"Look, dear, it's a crazy hairy scary man!"
On the Nokia series, you pay a premium for A) Nokia's OS (NetBSD-based, I believe, which has VRRP for failover), B) it's interoperability w/programs like CheckPoint and ISS, and C) being able to rack it.
WAY too much of a premium, in my opinion. When the sales guys at the VAR I was at tried to push them on all our customers, I quietly directed them all to PIXen or OpenBSD.
seeing some other posts ...
... i work tech for a dept. the nokias belong to the uni, so i don't work on 'em), mostly 330s and 440s.
... it's (ipso/fw-1) a common platform in that niche, so it'd be much easier to find someone else that knows how to manage them, and, they have nokia to have fix problems.
we have a number of nokia's where i work (it's a university
granted, they are based on older hw (p2-450s, early p3s, etc). however, what you're paying for is CYA and management. if it breaks, you call nokia or whomever is responsible for providing support for it.
IPSO does one thing, *very* well. personally, i'm of the opinion of a decently spec'd out box running obsd w/pf, but only because i manage the box. some may like linux with iptables or whatever.
suppose you go the obsd/linux route on an off-the-shelf i386 machine. 1. you buy the machine. 2. you have to pay someone to manage it. rough guesstimation, but i see it a *lot* cheaper to buy a few nokia boxes and pay the fw-1 license fees. my dept is already incurring my salary, so we decided to get an i386 box (dell pe1650), two 4 port ethernet cards, and get on with it. it works great. if that thing breaks though, it's my ass. plus, if i leave, someone will need to know how to manage it. the uni where i work going with nokias
vodka, straight up, thank you!
Would this not violate the DMCA?
I mean you just hardware hacked a device to make it work.
For example spoofing the NIC's that were designed to work only with an IPSO solution.
Just a thought....
Dude! Your going to Jail!
Next time buy a Dell-
This hardly even approaches "Interesting".
Maybe Dumb and Useless would be better adjectives to describe this guy's work.
Please return that word back to the library in the early 90's where you checked it out. It's reeeeally overdue.
typing in 'failover' on obsd would be sweet too, if cisco relaxed on the vrrp patents =)
vodka, straight up, thank you!
Some thoughts I had when reading the article:
;-) It might be a good idea to delete the compiler after everything has been configured, or even better, don't install it and build any necessary packages on another server, then transfer the binaries to the firewall.
:-D
> Once the new partition table is saved there is no going back; both IPSO and Check Point FW-1 are gone.
Of course, if I were the one doing the installation I'd backup the original drive contents so I could always go back to original configuration (in case of screw up, or if I wanted to sell the unit on e-bay, etc.) It's only 8 Gb...
> When it comes time to install the various packages, select only Network Support and then go into the Select Individual Packages section and add GCC, autoconf and ncurses.
GCC on a firewall box?! Sounds like a new tool of terror for the scrip7 kiddies.
Nice article though. Nothing like putting the screws to those closed source, code hoarding, proprietary software vendors.
I track known Slashdot scumbags on my foes list!
I've thought about entering the appliance market too, but dealing with Cisco and similar types would be too hard. Still, the OS and network components are already taken of. It' sthe inetrface that needs work on.
My idea is to have a small box (running a via cpu) and have 3 nics in it. Lets call then eth0, eth1, and eth2. Eth0 and Eth1 would be a frame and packet discriminatory firewall capible of maintaining quotas. The quotas would be set up in user/group/all settings which would bind MAC or IP for quota setting.
Whatever passes through Eth0 or 1 is totally transparent (eg: transparent bridge). Eth2 would be your maintenance/interface. Https and ssh would be available for configs.
All the hardware and most of the software is there. It's just the glue work that needs to be done.
Yes, I'm stealing someones bandwidth just to make this post
Suck it!
"When the whole network is going up in flames its advantageous to have a person to point fingers at if nothing else..."
And here I though that having 911 on speed dial was the thing to do.
Vendor hardened? Give me a fucking break. What special hardening do you REALLY think the embedded vendor is doing over a standard install? You're lucky to get package versions three or four versions behind the most recent one, with all the unpatched holes and missing features that came with them.
Sorry, you Solaris types are just clawing and gasping for air as you sink beneath the waves of irrelevancy. Get retrained, or think about switching careers.
Hey, WatchGuard has been running on a Linux 2.x kernel for a while now - - sure would be nice to be able to put their software on a box of my choosing. Their stuff is pretty pricey . . .
Too bad I'm not a real coder, maybe I'd try it myself. As firewalls go, WatchGuard's a pretty good one.
It's only funny until someone gets hurt. Then, it's hilarious.
"In these troubling times where IT departments all across the landscape are trying to reduce costs, this will allow companies to say 'No' to expensive support contracts and upgrade costs and still maintain security without having to buy new hardware."
So instead of trusting security to the professionals, we are going to hand that responsibility over to "that geek in software that knows linux"?
This isn't news... this is bad decision making. You can take any rack-mounted ebay'd rack mount device and slap whatever OS (free or otherwise) and install whatever service (free or otherwise) on it... for example, take a standard F5 load balancer (garbage, to be sure), and install any linux distro and then put LVS on it, and you have a "free alternative" to the same thing (ahem -- no it is NOT the same thing... sure, the end result is the same, but the quality, support and out-of the box results are vastly different...), but even still, why would you waste your time doing that when you could spend 1/3 of the cost to put the "free" solution together with spare or third party parts on your own without the original brand label to only remove and say "wow thats cool -- I relabeled something that was once expensive into a cheap solution that is no longer worth what I initially invested in, and does not come with any sort of support at all"
As a bit of background, I work for an established Check Point and Nokia partner. We regularly sell large numbers of these firewalls to enterprise customers. They are as reliable and full-featured as a firewall gets.
This article brings up the question: why would anyone consider installing Linux on the Nokia appliance? The answer: they wouldn't. Here are the reasons.
1. If the hardware is used/old, it is outdated by today's standards. For $800 including hardware support you can get a nice rackmount Dell server and run Linux on it. The performance boost would be many many times what you can get on the Nokia.
2. The Nokias hold their resale value better than a system with the same hardware specs. An older 330 can still fetch a decent amount on Ebay. Right now, there is one that has a buy-it-now price of $1,199.00. Why do you want an AMD 233 with no hardware support when you can sell it and buy yourself an 850MHz Celeron with support and then pocket $300?? It doesn't make sense.
3. Presumably, if you already have the Nokia then you have Check Point as well. Why ditch it for a the Linux firewall? The management, logging, and OPSEC features of Check Point outweigh the benefits of switching to Linux.
I think the Nokia/Check Point solution is great. I just don't think that trying to run an unsupported OS on the platform is worth it. Look at the cost/benefit of a new system. It makes a lot more sense to "budget-strapped IT departments."
-shox
Fist of all, the Nokia firewall appliances already run a stripped-down and hardened *nix (freeBSD-derivative) so this is not exactly new. People have been replacing it with a home brewed distro for a while, for the fun of it.
Second you'd be crazy to ditch Checkpoint FW1 for iptables. I run a few FW1's at work, and have Linux+iptables at home, but I'd never exchange the two. Try to create a distributed, system-wide network policy with 5 clustered (stateful failover capable) enforcement points, some of which doing CVP-based email antivirus on the fly and tell me how easy it is with Iptables. And, get it to NAT Oracle sqlnet v2 sessions when someone decided not to run it on port 1521 "for added security" (aargh).
Third, don't *have* to pay for yearly support contract, but usually you *want* to. You have an initial cost depending on the FW1 license (50-node, 250-node or unlimited) and then you keep paying for two things called support and accountability, which matter a lot in the business sector. And that's exacly why Linux, to really flourish in the business sector, at the moment has more need of companies professionally supporting it (for $$$) than developers.
Don't get me wrong, I am a loyal, happy, avid Linux supporter and make my living out of it. I love Slackware and have come to rely on it like I could do with nothing else, but from the AC's comment it looks like he really got it totally wrong and never wondered *why* someone should pay for a professional product.
Vacuum cleaners suck. Kings rule.
As a large Nokia / Checkpoint shop who has recently been looking at alternative solutions to the high maintenance cost and fingerpointing that goes on between the two companies nowadays when there's a problem; the opportunity to load Linux and enventually Checkpoint's Secure OS on an IP330 is very compelling from the standpoint we would be able to use the hardware we purchased but be able to go to one source for OS and FW support.
;-)
Not to mention you usually need to upgrade the IPSO when you upgrade to the latest and greatest NG, Service Pack X, Hot Fix X, roll up X. So you get to buy yourself another year or two out of the IP's without having to pay Nokia.
Finally, most of our offices don't come close to taxing a 330 so as long as the hardware doesn't fail why run out and buy new hardware?
That's WTF point is....
It really does astound me that so many people think this a good idea.
;-)
First off, the whole cost factor that people continue to bring up blows my mind. Any company with any knowledge of doing risk analysis will know that paying $50k a year, say, on securing your companies life-blood (trade secrets, source code, credit card numbers, etc.) is nothing. If your company can not afford this kind of money for proven security solutions, then you're obviously looking at the wrong supplier, or the wrong product from the right supplier (who's to say), or you shouldn't have an Internet connection.
Secondly, IPSO has been harded over the years by a team of dedicated software engineers. It has an enhanced routing daemon, it is easily backed up and restored, and with the latest builds of IPSO they have introduced some amazing clustering capabilities. When you chose a reputable company's solutions, you can count on security vulnerabilities being addresses quickly by the aforementioned team, and not waiting on some guy to have some free time to patch your Freeware app.. not to mention solid advise from support on how to mitigate the vulnerability until a patch is available.
Third, you people say 'get a smokin dell, and slap in a buncha NICs! that'll compare!' are on some serious Rock. Apples to Apples, a high end Nokia IP Series vs a high end Dell... well, lets just say it would suck to be the Dell. 8o)
Now what would be really interesting to see is a Smokin' dell with IPSO and Checkpoint installed! Proprietary hardware vendors, such as Nokia and Cisco, will not use the latest/fastest CPU that're currently available in their appliances for a lot of good reasons.. though I would be curious to see the performance stats on that combo.
All in all, you cant compare a linux install to an IPSO install when you want raw routing and packet tossing power. It's apples to oranges. But it is an interesting article anyways.. it ranks right up there with installing linux on an Xbox.. Hey, why not run iptables on an XboX?! 8oP
I've also noticed that a lot of people have a lot of misconceptions about Checkpoint, but unfortunately addressing them would be going a little too far off topic.
I'd ask 'Why would you want to do this, anyway?', but we are nerds, and we know the answer is 'because, we can.'
anonymous coward, CCSE
not a linux god, a networking demi-god.
Thats the beuty of the Nokia appliance and IPSO. IPSO is all configured through it's own Web based GUI called Voyager, but can also be done in a pinch over a dial-up connection and lynx (which is only allowed to connect to localhost)
Since IPSO 3.6, clustering was added that can be enabled in like 6 clicks of a mouse. Try doing that from a command line.
The closest thing that is like maybe 10 percent of Voyager, would be Webmin, but even then you have to configure each app seperatly.
VRRP is included, free. So HA is an option with 2 firewalls. Routing features.. Hmm.. try getting OSPF, BGP, and RIP (if needed) all working on 1 box, on seperate interfaces. Sure, Zebra can handle it, but you still have to play with the config files. Here you just fill in the fields, click apply, and it works. Hit save, and never worry again!
Totally agree... nuff said from me.
As several have mentioned, the Nokia box is a basic x86 system.. So, you've installed Linux on an x86 box... nice job.
The real value in the Nokia box is:
- Nokia support. They provide good support of the complete solution, with broad geographic coverage.
- CheckPoint's software. Simple to use and manage. With a simple GUI to define policy, and manage dozens of firewalls from one point, your management effort and headcount are minimal (this is why all the big companies use it).
If you already have the Nokia box, you've paid for it, and the CheckPoint software. You will probably be fired if you destroy that to create a cheap x86 Linux box.
You might want to remember something important... On IP330s I believe the Boot Manager resides on the hard drive itself and formatting/repartitioning or otherwise altering it might render the Nokia device no longer able to use IPSO.
If you're going to install Linux on the Nokia box, that means you already bought the FireWall-1 software.. Rather than throwing that powerful firewall and VPN solution, install Check Point's Linux on it!
SecurePlatform is Check Point's totally hardened Linux distro. It is a bootable CD, that blasts your hard drive, installs a minimal/hardened Linux, and FireWall-1 in one shot. It takes about 3 minutes on a fast PC. It has a basic www management interface, or simple config shell (via ssh).
It's got great performance, and firewall/VPN features that the no other product can touch (not to mention the free Linux stuff), and the configuration is really easy via a nice GUI.
And, really surprising for those of us familiar with Check Point: they don't charge for it. The OS portion is free... you just need the license for the firewall application running on it.
1. This is very old news. We have been doing that for atleast a couple of years now.
2. There's a much easier way of installing Linux on the IP330.
All you have to have is an IDE CD-ROM, a dual connector power cable, a dual connector IDE cable, the original console cables that came with the IP330.
- open up the IP330
- connect the IDE CD-ROM to the IP330 using the dual connector power cable and IDE cable (obviously connect the HD as well)
- connect to the IP330 using the "nokia" console cable with your favorite term program (minicom or securCRT type)
- When you use the original console cable, you will be able to get to the BIOS, change the boot order to boot from the CD
Then you have a fully bootable CD-ROM, you can install whatever the heck you want. I have installed FreeBSD and Linux without any problems. Might try Solaris x86 if I can get a copy sometimes.
Obviously, this will destroy your IPSO partitions (there's usually two, one for the boot mgr and one for IPSO). If you want to be able to revert, dd the partitions somewhere so you can dd back.
Be sure to arp -s your interfaces like the article has described.
When you chose a reputable company's solutions, you can count on security vulnerabilities being addresses quickly
Like microsoft. Yeah, that model works really great.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Ive installed probably over a hundred of Nokias in the field, so ive seen a lot with these machines...
;)
:)
/boot patition on a Linux box - its does not contain BIOS stuff...
In terms of support, everyone here is right - stick with IPSO so you dont void your warranty! Nokia IPSO is a great os for Check Point, and supports all the features Check Point supports (except the Reporting Module server - its Wind0ze only - well until NG FP4...
I have a few customers that have installed Secure Platform (customized, hardended RedHat 7.2 with a shell to ease administration - in NG FP4 contains a web gui similar to their SOHO Home products) All of these customers have expired hardware contracts so its no big deal to them. The IP330 and IP440 are quite out-dated now... Netfilter does not need much power though
I agree CheckPoint is a little pricy, but they have a feature set that nothing else touches.. yet... Cool stuff, like single-sign on transparent authentication with user logging, and centralized logging with a decent gui with reporting features. (all for a price...)
My only beef with the product is NO LINUX GUI! aarrgg... At least i can run Windows in a VM on Linux and OSX... (well, i also dont like the fact that it is closed source, but i cant do much about that...)
As for the Boot Manager, you can safely wipe that out on the IP330 if your going to Linux... Its similar to the
Wouldnt it be nice if there was a decent, cross-platform gui for distributing Netfilter rulebases to multiple Linux firewalls with a centralized logging database and a nice PHP/MySQL frontend for reporting...
Ralph Bonnell - CISSP, LPIC-2, CCSI, CCSE+, CCNA, RSA/CSE, CSFE, MCSE 2000
Cybie! aka Ralph Bonnell
As Nokia has proven, FreeBSD is an ultra stable highest-performance OS for network appliances. Why bother with something inferior like linux?
having used checkpoint and ccse and ccsa courses I can say that it is a very good firewall but why would anyone want to rip out checkpoint and ipso and install linux? if you want a linux (or for my preference, freebsd) firewall then buy a 1u box and a qfe ffs. why trash a perfectly good nokia box? checkpoint is a damn good firewall even if you don't keep getting updates to the latest and greatest.
dave
well, there are free frrp deamons about but I don't know if they are missing anything from commercial vrrp stuff.
www.bsdshell.net
dave
Does it run linux ?? oh... wait :P
- KJ
I understand that you have never had to deal with Nokia's support.
I have on several occasions as I work only with Checkpoint products and mostly Nokia.
I have gotten help from Nokia 1 time out of about 10 cases I have registered with their tac.
For some reason firewall-1 FP2 altered wins packets if the wins request was for a staticly natted host. For some reason Firewall-1 FP3 stopped doing this and one of my customers need that feature.
I am still after a month trying to get Nokia to believe that FP2 did this which they refuse.
I provided them with traces which they did'nt believe since I had to run fw monitor when running both FP2 and FP3, If they would have bothered to setup this in a lab they would have noticed the behaviour.
Another point to this story is that this so called feature is totally undocumented by Checkpoint as is a lot of other stuff too which is really terrible for a security product.
Hell yes I would install linux or openbsd instead of my checkpoint firewall if it was up to me.
I loose some features but it works and upgrading it isn't a nightmere.
I think my cases with nokia has about a average time of 2-3 weeks and 90% of them doesn't get resolved.
Best Regards
Magnus
P.S I am also a ccse and ccsa which doesn't mean shit D.S
Someone must be asleep at the wheel today. How the hell did this article even get posted? Nokia boxes are stock computers with a fancy case and spec. software. Any screwdriver jockey can re-install Linux or even Windows on them...
Hey maybe I can get a posting by figuring out how to install *BSD over Linux.
In these troubling times where IT departments all across the landscape are trying to reduce costs, this will allow companies to say 'No' to expensive support contracts and upgrade costs and still maintain security without having to buy new hardware."
Well, the choice actually is, pay another company to maintain/support it, or pay a linux geek in-house to do it. I would argue that for many reasons, the former is more economical than the latter. If you pay for a support contract, you benefit from the economies of scale, as Nokia can afford to employ multiple experts in this particular system who divide their time amongst its customers. An in-house employee is unlikely to have the same expertise and experience, and if he/she did, then it would not be used full time. Further, the external organization has a global view, and can see all the issues at all its customer's sites, which means if someone runs into a problem before you, the support engineers will probably already have seen it.
Secondly, a support contract is a business expense. If comes out of operating cash, and can be written off against taxes. The firewall kit was paid for out of the capital budget, and can be amortized over time. An employee gets a salary which may be more than the support contract, but there are lots of costs involved, taxes, equipment, HR staff time, office space, etc. None of those apply to a support contract.
Thirdly, there is fitness for purpose. I have a hard time believing that a highly optimized appliance can be repurposed like this without a corresponding reduction in performance and capability. As with all embedded systems, hardware and software are tightly co-ordinated. A general purpose OS can not fully exploit the hardware, and it includes much unnecessary functionality which further reduces effectiveness.
Fourthly, your auditors may not sign off on your insurance if you roll your own solution. This is nothing to do with Nokia taking liability, this is your insurance company deciding what is and is not an acceptable level of risk. A quick scan of BUGTRAQ and CERT reveals many, many more Linux exploits than Nokia exploits!
So in short, if you have a spare Nokia for free and need a general-purpose computing device, then sure, why not, but if you have one and need a firewall, then use it for its intended purpose. I only use Open Source software when it actually is the best - there is no room for ideology in technology decisions, particularly when the risks of compromising security are so high. You're messing around with people lives here; if the business fails, then jobs are lost. But equally, if you can objectively prove that Linux is better, then use it. Unfortunately, this type of analysis is all too rare, all I hear is "MS sucks, d00d!".
I'm sorry - but I"ve got a linux box and I run Checkpoint on it as my primary firewall - why? Because I need it to run windows based VPN client for the windows users.
What I need is a free VPN client that is usable by the masses and a matching VPN?server? that runs on linux and plays nice with iptables.
DO that - and checkpoint and all the other firewall companies are *GONE*
But without a usable VPN I must continue to use checkpoint.
Checkpoint inspection refers to layer 3-7 inspection, not just stateful inspection of IP flows. Without going into userland or writing your own module, you can't crack into headers with iptables the way you can with CP. ie, write me an iptables rule that stops all GIF images from being loaded from an arbitrary website.
CP has a language called INSPECT that lets you build any filtering rules you want. That code is compiled into the CP driver which wedges in between layers 2 and 3 on the host's network stack.
There's no point in comparing CP and IPTables, they solve two separate problems. IPTables gives you basic, stateful inspection of IP flows. CP provides a richer set of policy control, not to mention enterprise management of multiple firewalls, failover. I use iptables at home, and CP at work.
Nokia/IPSO provides an excellent platform on which to run CP, far cheaper than SUN, more reliable than Windows. SecurePlatform is still maturing, since it's based on RH 7.1 it's lacking in support for some modern cards. And, there is significant benefit to having one number to call and one person to point the finger at. Yea, I'm paying a lot of money for what is essentially an 800MHz AMD, but it's a well built one that I'm not going to worry about it falling over due to hardware problems.
Sean
We recently replaced the Nokia/Checkpoint boxen with PIX firewalls. I don't care to get into a PIX vs Checkpoint war, but lets just say it saved us TONS of $$$$ on a yearly basis.
/dev/hda for the /boot partition works like a charm.
Having seven of these IP650's sitting on a shelf, I had to wonder... what can I use them for??? Then it hit me... I need RMON type probe capabilities in my call centers around the country, and with the four port NIC's installed, these might make good candidates.
I pull the compact flash card from the 650, put it in my reader on my RH8 desktop, dd bootnet.img to it, put it back in the IP650, and boot it. Once it boots, a simple FTP load, using the compact flash card at
I've got squideral, NTOP, ethereal, and a couple of in house scripts running on each of them now collecting traffic stats, doing WCCP transparent caching, and allowing me to do remote sniffs of the call centers.
Sig??? I don't need no stinkin Sig!
Didn't he say reputable? Maybe you have a different concept of reputable?
Every time I've run a firewall on my nokia, it becomes totally unusable for calling people. But then again, I do get fewer telemarketers.
Ergonomica Auctorita Illico!
There is a big push now to move towards firewall appliances rather than rolling your own. A lot of these appliances are running Linux as well. I'm a fan of the appliances as I currently support CheckPoint, WatchGuards and others. I despise the CheckPoint on Nokia. While Provider 1 is nifty from the single sign on benefit, CP is expensive to the point of ridiculousness. The Nokia appliances are crap all things being equal. The appliance 1U firewalls offer more for the money.
Remember what Cobalt did for the Web server? Easy, quick setup, fast deployment, and very robust hardware/software combination. I thing firms like WatchGuard, CyberGuard and others will eventually end up with the lion's share of the firewall market.
First off, the whole cost factor that people continue to bring up blows my mind. Any company with any knowledge of doing risk analysis will know that paying $50k a year, say, on securing your companies life-blood (trade secrets, source code, credit card numbers, etc.) is nothing.
Absolutely. Besides, the one-time cost of the hardware is trivial and can be depreciated over the course of a few years. The only issue that really matters are the on-going support costs and the headcount to maintain it.
Third, you people say 'get a smokin dell, and slap in a buncha NICs! that'll compare!' are on some serious Rock. Apples to Apples, a high end Nokia IP Series vs a high end Dell... well, lets just say it would suck to be the Dell. 8o)
Agreed. But compare the performance of your Nokia box to a killer Sun server, and it would suck to be the Nokia. As you said, it is a matter of comparing apples to apples. The advantages Nokia really has IMHO is that it is relatively cheap, and it more idiot-proof. I still think that the big shops with the skills and budgets to match will continue to run FW-1 on Sun hardware.
*** Where are we going? And what's with this handbasket?
(based on this mail on ietf vrrp maling list)
The Rapidstream hardware is *much* faster and cheaper (40% discount).
This news wouldn't make you *BUY* a Nokia IPSO, the hardware is _old_ and very expensive. But perhaps if you have a few sitting around.
I think my cases with nokia has about a average time of 2-3 weeks and 90% of them doesn't get resolved.
P.S I am also a ccse and ccsa which doesn't mean shit D.S
It would seem to me that having those certs does mean 'shit' as you put it, since your skills seem to have eliminated the 'easy/stupid' support calls that frequent call centres. Congrats on your skills, and pooh on your attitude.
--
Yeah, right, Checkpoint on Linux on IP330.
Get the half-assed Linux support of Checkpoint
together with the sub-par performance of the overpriced IP330. Now THATs a real good point...