Slashdot Mirror
Linux on Nokia IP Series Hardware
Anonymous Coward writes "Michael Rash has written a howto for the Linux Journal on getting Linux to run on a Nokia IP 330. Now we can use a free firewall on a platform normally designed to run Check Point Firewall-1. In these troubling times where IT departments all across the landscape are trying to reduce costs, this will allow companies to say 'No' to expensive support contracts and upgrade costs and still maintain security without having to buy new hardware."
Go calculate something
a way to void that warranty
... a hardened freebsd. people have been removing IPSO and install fbsd for quite some time.
this is nothing new.
the nokia IP boxes run IPSO
now, why you'd buy a several thousand dollar p2-450 to begin with, i can't say.
vodka, straight up, thank you!
Well we'd better put an end to THAT!
Seriously though... What does the checkpoint hardware have to offer? And even if it has something wonderful, wouldn't it make more sense to use, say, FreeBSD on it?
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
The Nokia IP series hardware is nothing more than older AMD K6 processor with a small amount of RAM by todays standards. You'd be better off with a $300 PC from Wal-Mart and a couple network cards. Don't get me wrong, I love the fact that Linux continues to spread to new area, but it has to be put into perspective.
What is any different from this box and a normal linux box with serveral NICs? The reason people buy something from Nokia is to run Checkpoint. Why not just buy a 2u and put quad intel nics in it?
Okay first off. A Nokia IP330 isnt worth jack!
I have two of them, and basicaly they are a AMD 800mhz rack mountable device. Brand new...around $4,0000 without any Checkpoint software/licenses.
IDE drives, and some other typical stuff.
You would be better off buying a Dell PowerEdge rackmountable server with no OS. Or if you are using Checkpoint then save a bunch of money and skip the Nokia solution. Use checkpoint Secure OS (Redhat with lots of limitations) and put it on a Dell with 4 hour replacement. That alone would save you over $2K a year in support contracts with a Nokia Platform, and you get a faster firewall to boot!
So explain to me...WTF IS THE POINT!
Yes, Nokia IP330 are expensive solutions. And Yes so is Checkpoint. But anyone who compares Checkpoint to a Linux Free solution...well I would like to see a comparison of that. The Checkpoint firewall is a complete solution, with plugins to your security needs, and yes you ahve to pay extra cash to get it all to interact.
The linux solution is hodge podge and not even close to being remotely the same in either quality, or type of solution.
This would be like comparing MS Exchange to Sendmail. Yes, they both send emails. One is very expensive and has some nice options. The other sends mail well and some think its a better solution. The point being that with Exchange you are not paying for just an email server. It has lots of bells and whistles (dont blame exchange for viruses...Outlook yes, exchange no)
Same with Checkpoint! You are not just paying for a firewall.
So you are going to buy a expensive Nokia IP330 and install linux on it. Very amuzing....
Licensing and pricing suck , but it sure is nice to quickly push a firewall policy to several endpoints at once. Failover solutions are hella easy also.
(Although typing in "failover" on PIX is hella nice)
You find the debug port, download your OS and voila you've got Linux running!
Running an OS isn't something to crow about.
Neither is replacing a BSD with Linux.
I have been pwned because my
There is more to IPSO, the net OS that runs on the Nokia 330, than just a hardened freeBSD. The networking protocols are coded deep into the kernel, and have been highly optimized. To run a vanilla Linux on the box means that net routing will just become another application to the OS, along with the corresponding hit to performance.
I'm a network guy for a fairly large company. We use Linux all over the place, including firewalls. Frankly, I'm quite impressed; we've found it to be far more supportable than even the best commercial products.
But why would I want to run it on a Nokia box? Typically, firewall vendors sell the box's hardware and software support together. So, if you're not paying the software support, you have no hardware support. If you're using Linux to save costs, and it fries its power supply, you're SOL.
For the amount of CPU power that you get in the Nokia, you're better off if you buy a good, high-quality PC (We use Dell PowerEdge), throw a few NICs in it, and run Linux on it. The PC will be cheaper, include hardware support, and be easily field-servicable by any PC tech.
The Nokia IP series are just PCs in nifty-lookin' rack cases. And they're already running OpenBSD, right from the factory. Which, last time I checked, had far better security (and hence made a better FW) than GNU/Linux. If you don't like FW-1, just don't run it! Set up whatever BSD FW you prefer. Duh.
Also, given the very high cost of these boxes, and the fact that (with FW resource usage so low) they won't become obsolete any time soon, why not just leave it alone? How does this save anyone any money?
+++++++
"Look, dear, it's a crazy hairy scary man!"
On the Nokia series, you pay a premium for A) Nokia's OS (NetBSD-based, I believe, which has VRRP for failover), B) it's interoperability w/programs like CheckPoint and ISS, and C) being able to rack it.
WAY too much of a premium, in my opinion. When the sales guys at the VAR I was at tried to push them on all our customers, I quietly directed them all to PIXen or OpenBSD.
seeing some other posts ...
... i work tech for a dept. the nokias belong to the uni, so i don't work on 'em), mostly 330s and 440s.
... it's (ipso/fw-1) a common platform in that niche, so it'd be much easier to find someone else that knows how to manage them, and, they have nokia to have fix problems.
we have a number of nokia's where i work (it's a university
granted, they are based on older hw (p2-450s, early p3s, etc). however, what you're paying for is CYA and management. if it breaks, you call nokia or whomever is responsible for providing support for it.
IPSO does one thing, *very* well. personally, i'm of the opinion of a decently spec'd out box running obsd w/pf, but only because i manage the box. some may like linux with iptables or whatever.
suppose you go the obsd/linux route on an off-the-shelf i386 machine. 1. you buy the machine. 2. you have to pay someone to manage it. rough guesstimation, but i see it a *lot* cheaper to buy a few nokia boxes and pay the fw-1 license fees. my dept is already incurring my salary, so we decided to get an i386 box (dell pe1650), two 4 port ethernet cards, and get on with it. it works great. if that thing breaks though, it's my ass. plus, if i leave, someone will need to know how to manage it. the uni where i work going with nokias
vodka, straight up, thank you!
Would this not violate the DMCA?
I mean you just hardware hacked a device to make it work.
For example spoofing the NIC's that were designed to work only with an IPSO solution.
Just a thought....
Dude! Your going to Jail!
Next time buy a Dell-
typing in 'failover' on obsd would be sweet too, if cisco relaxed on the vrrp patents =)
vodka, straight up, thank you!
Some thoughts I had when reading the article:
;-) It might be a good idea to delete the compiler after everything has been configured, or even better, don't install it and build any necessary packages on another server, then transfer the binaries to the firewall.
:-D
> Once the new partition table is saved there is no going back; both IPSO and Check Point FW-1 are gone.
Of course, if I were the one doing the installation I'd backup the original drive contents so I could always go back to original configuration (in case of screw up, or if I wanted to sell the unit on e-bay, etc.) It's only 8 Gb...
> When it comes time to install the various packages, select only Network Support and then go into the Select Individual Packages section and add GCC, autoconf and ncurses.
GCC on a firewall box?! Sounds like a new tool of terror for the scrip7 kiddies.
Nice article though. Nothing like putting the screws to those closed source, code hoarding, proprietary software vendors.
I track known Slashdot scumbags on my foes list!
I've thought about entering the appliance market too, but dealing with Cisco and similar types would be too hard. Still, the OS and network components are already taken of. It' sthe inetrface that needs work on.
My idea is to have a small box (running a via cpu) and have 3 nics in it. Lets call then eth0, eth1, and eth2. Eth0 and Eth1 would be a frame and packet discriminatory firewall capible of maintaining quotas. The quotas would be set up in user/group/all settings which would bind MAC or IP for quota setting.
Whatever passes through Eth0 or 1 is totally transparent (eg: transparent bridge). Eth2 would be your maintenance/interface. Https and ssh would be available for configs.
All the hardware and most of the software is there. It's just the glue work that needs to be done.
Hey, WatchGuard has been running on a Linux 2.x kernel for a while now - - sure would be nice to be able to put their software on a box of my choosing. Their stuff is pretty pricey . . .
Too bad I'm not a real coder, maybe I'd try it myself. As firewalls go, WatchGuard's a pretty good one.
It's only funny until someone gets hurt. Then, it's hilarious.
As a bit of background, I work for an established Check Point and Nokia partner. We regularly sell large numbers of these firewalls to enterprise customers. They are as reliable and full-featured as a firewall gets.
This article brings up the question: why would anyone consider installing Linux on the Nokia appliance? The answer: they wouldn't. Here are the reasons.
1. If the hardware is used/old, it is outdated by today's standards. For $800 including hardware support you can get a nice rackmount Dell server and run Linux on it. The performance boost would be many many times what you can get on the Nokia.
2. The Nokias hold their resale value better than a system with the same hardware specs. An older 330 can still fetch a decent amount on Ebay. Right now, there is one that has a buy-it-now price of $1,199.00. Why do you want an AMD 233 with no hardware support when you can sell it and buy yourself an 850MHz Celeron with support and then pocket $300?? It doesn't make sense.
3. Presumably, if you already have the Nokia then you have Check Point as well. Why ditch it for a the Linux firewall? The management, logging, and OPSEC features of Check Point outweigh the benefits of switching to Linux.
I think the Nokia/Check Point solution is great. I just don't think that trying to run an unsupported OS on the platform is worth it. Look at the cost/benefit of a new system. It makes a lot more sense to "budget-strapped IT departments."
-shox
Fist of all, the Nokia firewall appliances already run a stripped-down and hardened *nix (freeBSD-derivative) so this is not exactly new. People have been replacing it with a home brewed distro for a while, for the fun of it.
Second you'd be crazy to ditch Checkpoint FW1 for iptables. I run a few FW1's at work, and have Linux+iptables at home, but I'd never exchange the two. Try to create a distributed, system-wide network policy with 5 clustered (stateful failover capable) enforcement points, some of which doing CVP-based email antivirus on the fly and tell me how easy it is with Iptables. And, get it to NAT Oracle sqlnet v2 sessions when someone decided not to run it on port 1521 "for added security" (aargh).
Third, don't *have* to pay for yearly support contract, but usually you *want* to. You have an initial cost depending on the FW1 license (50-node, 250-node or unlimited) and then you keep paying for two things called support and accountability, which matter a lot in the business sector. And that's exacly why Linux, to really flourish in the business sector, at the moment has more need of companies professionally supporting it (for $$$) than developers.
Don't get me wrong, I am a loyal, happy, avid Linux supporter and make my living out of it. I love Slackware and have come to rely on it like I could do with nothing else, but from the AC's comment it looks like he really got it totally wrong and never wondered *why* someone should pay for a professional product.
Vacuum cleaners suck. Kings rule.
As a large Nokia / Checkpoint shop who has recently been looking at alternative solutions to the high maintenance cost and fingerpointing that goes on between the two companies nowadays when there's a problem; the opportunity to load Linux and enventually Checkpoint's Secure OS on an IP330 is very compelling from the standpoint we would be able to use the hardware we purchased but be able to go to one source for OS and FW support.
;-)
Not to mention you usually need to upgrade the IPSO when you upgrade to the latest and greatest NG, Service Pack X, Hot Fix X, roll up X. So you get to buy yourself another year or two out of the IP's without having to pay Nokia.
Finally, most of our offices don't come close to taxing a 330 so as long as the hardware doesn't fail why run out and buy new hardware?
That's WTF point is....
It really does astound me that so many people think this a good idea.
;-)
First off, the whole cost factor that people continue to bring up blows my mind. Any company with any knowledge of doing risk analysis will know that paying $50k a year, say, on securing your companies life-blood (trade secrets, source code, credit card numbers, etc.) is nothing. If your company can not afford this kind of money for proven security solutions, then you're obviously looking at the wrong supplier, or the wrong product from the right supplier (who's to say), or you shouldn't have an Internet connection.
Secondly, IPSO has been harded over the years by a team of dedicated software engineers. It has an enhanced routing daemon, it is easily backed up and restored, and with the latest builds of IPSO they have introduced some amazing clustering capabilities. When you chose a reputable company's solutions, you can count on security vulnerabilities being addresses quickly by the aforementioned team, and not waiting on some guy to have some free time to patch your Freeware app.. not to mention solid advise from support on how to mitigate the vulnerability until a patch is available.
Third, you people say 'get a smokin dell, and slap in a buncha NICs! that'll compare!' are on some serious Rock. Apples to Apples, a high end Nokia IP Series vs a high end Dell... well, lets just say it would suck to be the Dell. 8o)
Now what would be really interesting to see is a Smokin' dell with IPSO and Checkpoint installed! Proprietary hardware vendors, such as Nokia and Cisco, will not use the latest/fastest CPU that're currently available in their appliances for a lot of good reasons.. though I would be curious to see the performance stats on that combo.
All in all, you cant compare a linux install to an IPSO install when you want raw routing and packet tossing power. It's apples to oranges. But it is an interesting article anyways.. it ranks right up there with installing linux on an Xbox.. Hey, why not run iptables on an XboX?! 8oP
I've also noticed that a lot of people have a lot of misconceptions about Checkpoint, but unfortunately addressing them would be going a little too far off topic.
I'd ask 'Why would you want to do this, anyway?', but we are nerds, and we know the answer is 'because, we can.'
anonymous coward, CCSE
not a linux god, a networking demi-god.
Totally agree... nuff said from me.
You might want to remember something important... On IP330s I believe the Boot Manager resides on the hard drive itself and formatting/repartitioning or otherwise altering it might render the Nokia device no longer able to use IPSO.
When you chose a reputable company's solutions, you can count on security vulnerabilities being addresses quickly
Like microsoft. Yeah, that model works really great.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Ive installed probably over a hundred of Nokias in the field, so ive seen a lot with these machines...
;)
:)
/boot patition on a Linux box - its does not contain BIOS stuff...
In terms of support, everyone here is right - stick with IPSO so you dont void your warranty! Nokia IPSO is a great os for Check Point, and supports all the features Check Point supports (except the Reporting Module server - its Wind0ze only - well until NG FP4...
I have a few customers that have installed Secure Platform (customized, hardended RedHat 7.2 with a shell to ease administration - in NG FP4 contains a web gui similar to their SOHO Home products) All of these customers have expired hardware contracts so its no big deal to them. The IP330 and IP440 are quite out-dated now... Netfilter does not need much power though
I agree CheckPoint is a little pricy, but they have a feature set that nothing else touches.. yet... Cool stuff, like single-sign on transparent authentication with user logging, and centralized logging with a decent gui with reporting features. (all for a price...)
My only beef with the product is NO LINUX GUI! aarrgg... At least i can run Windows in a VM on Linux and OSX... (well, i also dont like the fact that it is closed source, but i cant do much about that...)
As for the Boot Manager, you can safely wipe that out on the IP330 if your going to Linux... Its similar to the
Wouldnt it be nice if there was a decent, cross-platform gui for distributing Netfilter rulebases to multiple Linux firewalls with a centralized logging database and a nice PHP/MySQL frontend for reporting...
Ralph Bonnell - CISSP, LPIC-2, CCSI, CCSE+, CCNA, RSA/CSE, CSFE, MCSE 2000
Cybie! aka Ralph Bonnell
The IP650 contains an Intel motherboard (i believe), and the hard drive is your standard 2.5inch notebook drive. Keep in mind all of the slots in a IP650 are C-PCI.
I would recommend unscrewing the hard drive from the C-PCI adapter board, and using an IDE adapter to plug it into a standard PC. As long as the drive is active, it *should* work when put into the 650. The problem with that machine is that the VGA connector is impossible to get to when the case is assembled. (and it needs to be assembled in order to get power to the NLX motherboard.
So if you really want to put Linux or openbsd on that thing, make sure you configure the OS to dump the root console to the serial port...
Cybie! aka Ralph Bonnell
having used checkpoint and ccse and ccsa courses I can say that it is a very good firewall but why would anyone want to rip out checkpoint and ipso and install linux? if you want a linux (or for my preference, freebsd) firewall then buy a 1u box and a qfe ffs. why trash a perfectly good nokia box? checkpoint is a damn good firewall even if you don't keep getting updates to the latest and greatest.
dave
well, there are free frrp deamons about but I don't know if they are missing anything from commercial vrrp stuff.
www.bsdshell.net
dave
In these troubling times where IT departments all across the landscape are trying to reduce costs, this will allow companies to say 'No' to expensive support contracts and upgrade costs and still maintain security without having to buy new hardware."
Well, the choice actually is, pay another company to maintain/support it, or pay a linux geek in-house to do it. I would argue that for many reasons, the former is more economical than the latter. If you pay for a support contract, you benefit from the economies of scale, as Nokia can afford to employ multiple experts in this particular system who divide their time amongst its customers. An in-house employee is unlikely to have the same expertise and experience, and if he/she did, then it would not be used full time. Further, the external organization has a global view, and can see all the issues at all its customer's sites, which means if someone runs into a problem before you, the support engineers will probably already have seen it.
Secondly, a support contract is a business expense. If comes out of operating cash, and can be written off against taxes. The firewall kit was paid for out of the capital budget, and can be amortized over time. An employee gets a salary which may be more than the support contract, but there are lots of costs involved, taxes, equipment, HR staff time, office space, etc. None of those apply to a support contract.
Thirdly, there is fitness for purpose. I have a hard time believing that a highly optimized appliance can be repurposed like this without a corresponding reduction in performance and capability. As with all embedded systems, hardware and software are tightly co-ordinated. A general purpose OS can not fully exploit the hardware, and it includes much unnecessary functionality which further reduces effectiveness.
Fourthly, your auditors may not sign off on your insurance if you roll your own solution. This is nothing to do with Nokia taking liability, this is your insurance company deciding what is and is not an acceptable level of risk. A quick scan of BUGTRAQ and CERT reveals many, many more Linux exploits than Nokia exploits!
So in short, if you have a spare Nokia for free and need a general-purpose computing device, then sure, why not, but if you have one and need a firewall, then use it for its intended purpose. I only use Open Source software when it actually is the best - there is no room for ideology in technology decisions, particularly when the risks of compromising security are so high. You're messing around with people lives here; if the business fails, then jobs are lost. But equally, if you can objectively prove that Linux is better, then use it. Unfortunately, this type of analysis is all too rare, all I hear is "MS sucks, d00d!".
Checkpoint inspection refers to layer 3-7 inspection, not just stateful inspection of IP flows. Without going into userland or writing your own module, you can't crack into headers with iptables the way you can with CP. ie, write me an iptables rule that stops all GIF images from being loaded from an arbitrary website.
CP has a language called INSPECT that lets you build any filtering rules you want. That code is compiled into the CP driver which wedges in between layers 2 and 3 on the host's network stack.
There's no point in comparing CP and IPTables, they solve two separate problems. IPTables gives you basic, stateful inspection of IP flows. CP provides a richer set of policy control, not to mention enterprise management of multiple firewalls, failover. I use iptables at home, and CP at work.
Nokia/IPSO provides an excellent platform on which to run CP, far cheaper than SUN, more reliable than Windows. SecurePlatform is still maturing, since it's based on RH 7.1 it's lacking in support for some modern cards. And, there is significant benefit to having one number to call and one person to point the finger at. Yea, I'm paying a lot of money for what is essentially an 800MHz AMD, but it's a well built one that I'm not going to worry about it falling over due to hardware problems.
Sean
We recently replaced the Nokia/Checkpoint boxen with PIX firewalls. I don't care to get into a PIX vs Checkpoint war, but lets just say it saved us TONS of $$$$ on a yearly basis.
/dev/hda for the /boot partition works like a charm.
Having seven of these IP650's sitting on a shelf, I had to wonder... what can I use them for??? Then it hit me... I need RMON type probe capabilities in my call centers around the country, and with the four port NIC's installed, these might make good candidates.
I pull the compact flash card from the 650, put it in my reader on my RH8 desktop, dd bootnet.img to it, put it back in the IP650, and boot it. Once it boots, a simple FTP load, using the compact flash card at
I've got squideral, NTOP, ethereal, and a couple of in house scripts running on each of them now collecting traffic stats, doing WCCP transparent caching, and allowing me to do remote sniffs of the call centers.
Sig??? I don't need no stinkin Sig!
The easiest way, I've found, is to pull the CF card, put it in a reader on another linux box, and copy your boot image to it... I use RH -
/dev/sda
/boot on /dev/hda (the CF card). The IDE hard drive is /dev/hdc.
CF installed as
dd if=bootnet.img of=/dev/sda
Then put the CF card back in the 650, boot it, and run the ftp based install from your local ftp server. Make sure when you format your drives that you put
Joe
Sig??? I don't need no stinkin Sig!
Every time I've run a firewall on my nokia, it becomes totally unusable for calling people. But then again, I do get fewer telemarketers.
Ergonomica Auctorita Illico!
First off, the whole cost factor that people continue to bring up blows my mind. Any company with any knowledge of doing risk analysis will know that paying $50k a year, say, on securing your companies life-blood (trade secrets, source code, credit card numbers, etc.) is nothing.
Absolutely. Besides, the one-time cost of the hardware is trivial and can be depreciated over the course of a few years. The only issue that really matters are the on-going support costs and the headcount to maintain it.
Third, you people say 'get a smokin dell, and slap in a buncha NICs! that'll compare!' are on some serious Rock. Apples to Apples, a high end Nokia IP Series vs a high end Dell... well, lets just say it would suck to be the Dell. 8o)
Agreed. But compare the performance of your Nokia box to a killer Sun server, and it would suck to be the Nokia. As you said, it is a matter of comparing apples to apples. The advantages Nokia really has IMHO is that it is relatively cheap, and it more idiot-proof. I still think that the big shops with the skills and budgets to match will continue to run FW-1 on Sun hardware.
*** Where are we going? And what's with this handbasket?
any particular attachment to linux?
http://www.allard.nu/openbsd
vodka, straight up, thank you!
(based on this mail on ietf vrrp maling list)
The main problem with this is that the drive comes up on it's own controller, and as /dev/hdc. The machine won't load the boot loader from there.
/dev/hda.
The bootloader must be on the CF card at
Joe
Sig??? I don't need no stinkin Sig!
--
Yeah, right, Checkpoint on Linux on IP330.
Get the half-assed Linux support of Checkpoint
together with the sub-par performance of the overpriced IP330. Now THATs a real good point...