Slashdot Mirror
Linux on Nokia IP Series Hardware
Anonymous Coward writes "Michael Rash has written a howto for the Linux Journal on getting Linux to run on a Nokia IP 330. Now we can use a free firewall on a platform normally designed to run Check Point Firewall-1. In these troubling times where IT departments all across the landscape are trying to reduce costs, this will allow companies to say 'No' to expensive support contracts and upgrade costs and still maintain security without having to buy new hardware."
Go calculate something
Actually, the newer IP330 models (SN's start with 9N instead of 8A) are AMD K6-2 400's with 246megs of ram, and can be found on ebay.
Good luck getting support on the box from Nokia or a reseller after something like this has been tried, with or without a support contract. You'll be told it's not supported, and nothing can be done.
actually no. i was in the group that did the kernel work for ipso. it has a custom ip forwarding path and forwarding table machinery. the routing is done using a largely rewritten version of...gated
these three things and the management system make ipso a good software routing platform.
which doesn't really offset the cost of what is a pretty sluggish pc
Fist of all, the Nokia firewall appliances already run a stripped-down and hardened *nix (freeBSD-derivative) so this is not exactly new. People have been replacing it with a home brewed distro for a while, for the fun of it.
Second you'd be crazy to ditch Checkpoint FW1 for iptables. I run a few FW1's at work, and have Linux+iptables at home, but I'd never exchange the two. Try to create a distributed, system-wide network policy with 5 clustered (stateful failover capable) enforcement points, some of which doing CVP-based email antivirus on the fly and tell me how easy it is with Iptables. And, get it to NAT Oracle sqlnet v2 sessions when someone decided not to run it on port 1521 "for added security" (aargh).
Third, don't *have* to pay for yearly support contract, but usually you *want* to. You have an initial cost depending on the FW1 license (50-node, 250-node or unlimited) and then you keep paying for two things called support and accountability, which matter a lot in the business sector. And that's exacly why Linux, to really flourish in the business sector, at the moment has more need of companies professionally supporting it (for $$$) than developers.
Don't get me wrong, I am a loyal, happy, avid Linux supporter and make my living out of it. I love Slackware and have come to rely on it like I could do with nothing else, but from the AC's comment it looks like he really got it totally wrong and never wondered *why* someone should pay for a professional product.
Vacuum cleaners suck. Kings rule.
Checkpoint inspection refers to layer 3-7 inspection, not just stateful inspection of IP flows. Without going into userland or writing your own module, you can't crack into headers with iptables the way you can with CP. ie, write me an iptables rule that stops all GIF images from being loaded from an arbitrary website.
CP has a language called INSPECT that lets you build any filtering rules you want. That code is compiled into the CP driver which wedges in between layers 2 and 3 on the host's network stack.
There's no point in comparing CP and IPTables, they solve two separate problems. IPTables gives you basic, stateful inspection of IP flows. CP provides a richer set of policy control, not to mention enterprise management of multiple firewalls, failover. I use iptables at home, and CP at work.
Nokia/IPSO provides an excellent platform on which to run CP, far cheaper than SUN, more reliable than Windows. SecurePlatform is still maturing, since it's based on RH 7.1 it's lacking in support for some modern cards. And, there is significant benefit to having one number to call and one person to point the finger at. Yea, I'm paying a lot of money for what is essentially an 800MHz AMD, but it's a well built one that I'm not going to worry about it falling over due to hardware problems.
Sean