Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux on Nokia IP Series Hardware

Posted by timothy on from the but-it-wasn't-designed-for-that dept.

Anonymous Coward writes "Michael Rash has written a howto for the Linux Journal on getting Linux to run on a Nokia IP 330. Now we can use a free firewall on a platform normally designed to run Check Point Firewall-1. In these troubling times where IT departments all across the landscape are trying to reduce costs, this will allow companies to say 'No' to expensive support contracts and upgrade costs and still maintain security without having to buy new hardware."

9 of 138 comments (clear)

  1. I don't get it. by Anonymous Coward · · Score: 2, Insightful

    What is any different from this box and a normal linux box with serveral NICs? The reason people buy something from Nokia is to run Checkpoint. Why not just buy a 2u and put quad intel nics in it?

  2. It's not even a hack anymore by ObviousGuy · · Score: 3, Insightful

    You find the debug port, download your OS and voila you've got Linux running!

    Running an OS isn't something to crow about.

    Neither is replacing a BSD with Linux.

    --
    I have been pwned because my /. password was too easy to guess.
  3. But WHY? by subreality · · Score: 5, Insightful

    I'm a network guy for a fairly large company. We use Linux all over the place, including firewalls. Frankly, I'm quite impressed; we've found it to be far more supportable than even the best commercial products.

    But why would I want to run it on a Nokia box? Typically, firewall vendors sell the box's hardware and software support together. So, if you're not paying the software support, you have no hardware support. If you're using Linux to save costs, and it fries its power supply, you're SOL.

    For the amount of CPU power that you get in the Nokia, you're better off if you buy a good, high-quality PC (We use Dell PowerEdge), throw a few NICs in it, and run Linux on it. The PC will be cheaper, include hardware support, and be easily field-servicable by any PC tech.

  4. Re:Finally some good news! by Anonymous Coward · · Score: 5, Insightful

    When I first started with technology I was shocked to learn that you had to pay for upgrades

    Yes, I was also shocked when I found out auto makers wouldn't give me the latest car model every time they upgraded the design. Or that I didn't automatically get later editions of textbooks. Or that I didn't get a free sixpack of Vanilla Coke despite all those Classic Cokes I've bought. Or that I don't get a new HDTV, even that I've been a loyal user of my last one for ten years.

    One purchase does not entitle you to free products for life. Networking products are no different. Neither is software. You can't afford to pay the engineers to work on the upgrade unless you pay for the upgrades. (The only alternative is to pay for them all up front -- but then you wouldn't buy that very expensive product compared to its competitors, now would you?)

  5. What's the point? by Morthaur · · Score: 2, Insightful

    The Nokia IP series are just PCs in nifty-lookin' rack cases. And they're already running OpenBSD, right from the factory. Which, last time I checked, had far better security (and hence made a better FW) than GNU/Linux. If you don't like FW-1, just don't run it! Set up whatever BSD FW you prefer. Duh.

    Also, given the very high cost of these boxes, and the fact that (with FW resource usage so low) they won't become obsolete any time soon, why not just leave it alone? How does this save anyone any money?

    --

    +++++++
    "Look, dear, it's a crazy hairy scary man!"
  6. Re:WTF IS HE THINKING! by Anonymous Coward · · Score: 1, Insightful

    What is more entertaining is that they are only replacing Checkpoint with IPTables.

    IPTables in not a Inspection type firewall.

    So another reason this would not make sense.

  7. Why do this? by rjbrown99 · · Score: 5, Insightful

    As a bit of background, I work for an established Check Point and Nokia partner. We regularly sell large numbers of these firewalls to enterprise customers. They are as reliable and full-featured as a firewall gets.

    This article brings up the question: why would anyone consider installing Linux on the Nokia appliance? The answer: they wouldn't. Here are the reasons.

    1. If the hardware is used/old, it is outdated by today's standards. For $800 including hardware support you can get a nice rackmount Dell server and run Linux on it. The performance boost would be many many times what you can get on the Nokia.

    2. The Nokias hold their resale value better than a system with the same hardware specs. An older 330 can still fetch a decent amount on Ebay. Right now, there is one that has a buy-it-now price of $1,199.00. Why do you want an AMD 233 with no hardware support when you can sell it and buy yourself an 850MHz Celeron with support and then pocket $300?? It doesn't make sense.

    3. Presumably, if you already have the Nokia then you have Check Point as well. Why ditch it for a the Linux firewall? The management, logging, and OPSEC features of Check Point outweigh the benefits of switching to Linux.

    I think the Nokia/Check Point solution is great. I just don't think that trying to run an unsupported OS on the platform is worth it. Look at the cost/benefit of a new system. It makes a lot more sense to "budget-strapped IT departments."

    -shox

  8. Re: Finally some good news!? by Anonymous Coward · · Score: 3, Insightful

    It really does astound me that so many people think this a good idea.

    First off, the whole cost factor that people continue to bring up blows my mind. Any company with any knowledge of doing risk analysis will know that paying $50k a year, say, on securing your companies life-blood (trade secrets, source code, credit card numbers, etc.) is nothing. If your company can not afford this kind of money for proven security solutions, then you're obviously looking at the wrong supplier, or the wrong product from the right supplier (who's to say), or you shouldn't have an Internet connection.

    Secondly, IPSO has been harded over the years by a team of dedicated software engineers. It has an enhanced routing daemon, it is easily backed up and restored, and with the latest builds of IPSO they have introduced some amazing clustering capabilities. When you chose a reputable company's solutions, you can count on security vulnerabilities being addresses quickly by the aforementioned team, and not waiting on some guy to have some free time to patch your Freeware app.. not to mention solid advise from support on how to mitigate the vulnerability until a patch is available.

    Third, you people say 'get a smokin dell, and slap in a buncha NICs! that'll compare!' are on some serious Rock. Apples to Apples, a high end Nokia IP Series vs a high end Dell... well, lets just say it would suck to be the Dell. 8o)

    Now what would be really interesting to see is a Smokin' dell with IPSO and Checkpoint installed! Proprietary hardware vendors, such as Nokia and Cisco, will not use the latest/fastest CPU that're currently available in their appliances for a lot of good reasons.. though I would be curious to see the performance stats on that combo.

    All in all, you cant compare a linux install to an IPSO install when you want raw routing and packet tossing power. It's apples to oranges. But it is an interesting article anyways.. it ranks right up there with installing linux on an Xbox.. Hey, why not run iptables on an XboX?! 8oP

    I've also noticed that a lot of people have a lot of misconceptions about Checkpoint, but unfortunately addressing them would be going a little too far off topic.

    I'd ask 'Why would you want to do this, anyway?', but we are nerds, and we know the answer is 'because, we can.'

    anonymous coward, CCSE
    not a linux god, a networking demi-god. ;-)

  9. Re:Finally some good news! by pi_rules · · Score: 5, Insightful
    When the whole network is going up in flames its advantageous to have a person to point fingers at if nothing else...


    I hate this sentiment. It doesn't do the network or the business any good to be able to point a finger. It does you some good though, as you're not responsible for it in managment's eyes. So, not only are you paying out the arse for support, you're also suffering downtime. Wonderful!

    Nobody considers it your fault though, unless you didn't have a good reason for picking your vendor. If everybody thought the vendor was a good one then you're okay. Well, the end of the fiscal year comes around and your department spent all of it's money and didn't achieve it's goals. The internal IT team sticks their thumbs up their collective asses and points the index finger of their free hand at the vendors. Business conclusion at this point: The department costs too much and provides too little. Outsource it or cut it.

    You still lost your job.

    Maybe I'm idealistic but it frightens me how many people only do enough to keep their job safe without thinking about the company's benefit as a whole.

    Perhaps I'm a bit jaded though. A recent project that I've been working on just illustrates the point that your vendor isn't employing hundreds upon hundres of Supermen. In fact, their employees might be just damned near retarded sometimes. Their engineers have deadlines to meet and they can't meet those deadlines if you're still finding bugs in their recently released product and demanding fixes for them. It really doesn't matter how much money you put into them -- they're still only human. No amount of cash will change that.