Slashdot Mirror
Linux on Nokia IP Series Hardware
Anonymous Coward writes "Michael Rash has written a howto for the Linux Journal on getting Linux to run on a Nokia IP 330. Now we can use a free firewall on a platform normally designed to run Check Point Firewall-1. In these troubling times where IT departments all across the landscape are trying to reduce costs, this will allow companies to say 'No' to expensive support contracts and upgrade costs and still maintain security without having to buy new hardware."
Go calculate something
a way to void that warranty
... a hardened freebsd. people have been removing IPSO and install fbsd for quite some time.
this is nothing new.
the nokia IP boxes run IPSO
now, why you'd buy a several thousand dollar p2-450 to begin with, i can't say.
vodka, straight up, thank you!
Well we'd better put an end to THAT!
Seriously though... What does the checkpoint hardware have to offer? And even if it has something wonderful, wouldn't it make more sense to use, say, FreeBSD on it?
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
The Nokia IP series hardware is nothing more than older AMD K6 processor with a small amount of RAM by todays standards. You'd be better off with a $300 PC from Wal-Mart and a couple network cards. Don't get me wrong, I love the fact that Linux continues to spread to new area, but it has to be put into perspective.
What is any different from this box and a normal linux box with serveral NICs? The reason people buy something from Nokia is to run Checkpoint. Why not just buy a 2u and put quad intel nics in it?
Okay first off. A Nokia IP330 isnt worth jack!
I have two of them, and basicaly they are a AMD 800mhz rack mountable device. Brand new...around $4,0000 without any Checkpoint software/licenses.
IDE drives, and some other typical stuff.
You would be better off buying a Dell PowerEdge rackmountable server with no OS. Or if you are using Checkpoint then save a bunch of money and skip the Nokia solution. Use checkpoint Secure OS (Redhat with lots of limitations) and put it on a Dell with 4 hour replacement. That alone would save you over $2K a year in support contracts with a Nokia Platform, and you get a faster firewall to boot!
So explain to me...WTF IS THE POINT!
Yes, Nokia IP330 are expensive solutions. And Yes so is Checkpoint. But anyone who compares Checkpoint to a Linux Free solution...well I would like to see a comparison of that. The Checkpoint firewall is a complete solution, with plugins to your security needs, and yes you ahve to pay extra cash to get it all to interact.
The linux solution is hodge podge and not even close to being remotely the same in either quality, or type of solution.
This would be like comparing MS Exchange to Sendmail. Yes, they both send emails. One is very expensive and has some nice options. The other sends mail well and some think its a better solution. The point being that with Exchange you are not paying for just an email server. It has lots of bells and whistles (dont blame exchange for viruses...Outlook yes, exchange no)
Same with Checkpoint! You are not just paying for a firewall.
So you are going to buy a expensive Nokia IP330 and install linux on it. Very amuzing....
You find the debug port, download your OS and voila you've got Linux running!
Running an OS isn't something to crow about.
Neither is replacing a BSD with Linux.
I have been pwned because my
There is more to IPSO, the net OS that runs on the Nokia 330, than just a hardened freeBSD. The networking protocols are coded deep into the kernel, and have been highly optimized. To run a vanilla Linux on the box means that net routing will just become another application to the OS, along with the corresponding hit to performance.
I'm a network guy for a fairly large company. We use Linux all over the place, including firewalls. Frankly, I'm quite impressed; we've found it to be far more supportable than even the best commercial products.
But why would I want to run it on a Nokia box? Typically, firewall vendors sell the box's hardware and software support together. So, if you're not paying the software support, you have no hardware support. If you're using Linux to save costs, and it fries its power supply, you're SOL.
For the amount of CPU power that you get in the Nokia, you're better off if you buy a good, high-quality PC (We use Dell PowerEdge), throw a few NICs in it, and run Linux on it. The PC will be cheaper, include hardware support, and be easily field-servicable by any PC tech.
The Nokia IP series are just PCs in nifty-lookin' rack cases. And they're already running OpenBSD, right from the factory. Which, last time I checked, had far better security (and hence made a better FW) than GNU/Linux. If you don't like FW-1, just don't run it! Set up whatever BSD FW you prefer. Duh.
Also, given the very high cost of these boxes, and the fact that (with FW resource usage so low) they won't become obsolete any time soon, why not just leave it alone? How does this save anyone any money?
+++++++
"Look, dear, it's a crazy hairy scary man!"
On the Nokia series, you pay a premium for A) Nokia's OS (NetBSD-based, I believe, which has VRRP for failover), B) it's interoperability w/programs like CheckPoint and ISS, and C) being able to rack it.
WAY too much of a premium, in my opinion. When the sales guys at the VAR I was at tried to push them on all our customers, I quietly directed them all to PIXen or OpenBSD.
seeing some other posts ...
... i work tech for a dept. the nokias belong to the uni, so i don't work on 'em), mostly 330s and 440s.
... it's (ipso/fw-1) a common platform in that niche, so it'd be much easier to find someone else that knows how to manage them, and, they have nokia to have fix problems.
we have a number of nokia's where i work (it's a university
granted, they are based on older hw (p2-450s, early p3s, etc). however, what you're paying for is CYA and management. if it breaks, you call nokia or whomever is responsible for providing support for it.
IPSO does one thing, *very* well. personally, i'm of the opinion of a decently spec'd out box running obsd w/pf, but only because i manage the box. some may like linux with iptables or whatever.
suppose you go the obsd/linux route on an off-the-shelf i386 machine. 1. you buy the machine. 2. you have to pay someone to manage it. rough guesstimation, but i see it a *lot* cheaper to buy a few nokia boxes and pay the fw-1 license fees. my dept is already incurring my salary, so we decided to get an i386 box (dell pe1650), two 4 port ethernet cards, and get on with it. it works great. if that thing breaks though, it's my ass. plus, if i leave, someone will need to know how to manage it. the uni where i work going with nokias
vodka, straight up, thank you!
Some thoughts I had when reading the article:
;-) It might be a good idea to delete the compiler after everything has been configured, or even better, don't install it and build any necessary packages on another server, then transfer the binaries to the firewall.
:-D
> Once the new partition table is saved there is no going back; both IPSO and Check Point FW-1 are gone.
Of course, if I were the one doing the installation I'd backup the original drive contents so I could always go back to original configuration (in case of screw up, or if I wanted to sell the unit on e-bay, etc.) It's only 8 Gb...
> When it comes time to install the various packages, select only Network Support and then go into the Select Individual Packages section and add GCC, autoconf and ncurses.
GCC on a firewall box?! Sounds like a new tool of terror for the scrip7 kiddies.
Nice article though. Nothing like putting the screws to those closed source, code hoarding, proprietary software vendors.
I track known Slashdot scumbags on my foes list!
As a bit of background, I work for an established Check Point and Nokia partner. We regularly sell large numbers of these firewalls to enterprise customers. They are as reliable and full-featured as a firewall gets.
This article brings up the question: why would anyone consider installing Linux on the Nokia appliance? The answer: they wouldn't. Here are the reasons.
1. If the hardware is used/old, it is outdated by today's standards. For $800 including hardware support you can get a nice rackmount Dell server and run Linux on it. The performance boost would be many many times what you can get on the Nokia.
2. The Nokias hold their resale value better than a system with the same hardware specs. An older 330 can still fetch a decent amount on Ebay. Right now, there is one that has a buy-it-now price of $1,199.00. Why do you want an AMD 233 with no hardware support when you can sell it and buy yourself an 850MHz Celeron with support and then pocket $300?? It doesn't make sense.
3. Presumably, if you already have the Nokia then you have Check Point as well. Why ditch it for a the Linux firewall? The management, logging, and OPSEC features of Check Point outweigh the benefits of switching to Linux.
I think the Nokia/Check Point solution is great. I just don't think that trying to run an unsupported OS on the platform is worth it. Look at the cost/benefit of a new system. It makes a lot more sense to "budget-strapped IT departments."
-shox
Fist of all, the Nokia firewall appliances already run a stripped-down and hardened *nix (freeBSD-derivative) so this is not exactly new. People have been replacing it with a home brewed distro for a while, for the fun of it.
Second you'd be crazy to ditch Checkpoint FW1 for iptables. I run a few FW1's at work, and have Linux+iptables at home, but I'd never exchange the two. Try to create a distributed, system-wide network policy with 5 clustered (stateful failover capable) enforcement points, some of which doing CVP-based email antivirus on the fly and tell me how easy it is with Iptables. And, get it to NAT Oracle sqlnet v2 sessions when someone decided not to run it on port 1521 "for added security" (aargh).
Third, don't *have* to pay for yearly support contract, but usually you *want* to. You have an initial cost depending on the FW1 license (50-node, 250-node or unlimited) and then you keep paying for two things called support and accountability, which matter a lot in the business sector. And that's exacly why Linux, to really flourish in the business sector, at the moment has more need of companies professionally supporting it (for $$$) than developers.
Don't get me wrong, I am a loyal, happy, avid Linux supporter and make my living out of it. I love Slackware and have come to rely on it like I could do with nothing else, but from the AC's comment it looks like he really got it totally wrong and never wondered *why* someone should pay for a professional product.
Vacuum cleaners suck. Kings rule.
It really does astound me that so many people think this a good idea.
;-)
First off, the whole cost factor that people continue to bring up blows my mind. Any company with any knowledge of doing risk analysis will know that paying $50k a year, say, on securing your companies life-blood (trade secrets, source code, credit card numbers, etc.) is nothing. If your company can not afford this kind of money for proven security solutions, then you're obviously looking at the wrong supplier, or the wrong product from the right supplier (who's to say), or you shouldn't have an Internet connection.
Secondly, IPSO has been harded over the years by a team of dedicated software engineers. It has an enhanced routing daemon, it is easily backed up and restored, and with the latest builds of IPSO they have introduced some amazing clustering capabilities. When you chose a reputable company's solutions, you can count on security vulnerabilities being addresses quickly by the aforementioned team, and not waiting on some guy to have some free time to patch your Freeware app.. not to mention solid advise from support on how to mitigate the vulnerability until a patch is available.
Third, you people say 'get a smokin dell, and slap in a buncha NICs! that'll compare!' are on some serious Rock. Apples to Apples, a high end Nokia IP Series vs a high end Dell... well, lets just say it would suck to be the Dell. 8o)
Now what would be really interesting to see is a Smokin' dell with IPSO and Checkpoint installed! Proprietary hardware vendors, such as Nokia and Cisco, will not use the latest/fastest CPU that're currently available in their appliances for a lot of good reasons.. though I would be curious to see the performance stats on that combo.
All in all, you cant compare a linux install to an IPSO install when you want raw routing and packet tossing power. It's apples to oranges. But it is an interesting article anyways.. it ranks right up there with installing linux on an Xbox.. Hey, why not run iptables on an XboX?! 8oP
I've also noticed that a lot of people have a lot of misconceptions about Checkpoint, but unfortunately addressing them would be going a little too far off topic.
I'd ask 'Why would you want to do this, anyway?', but we are nerds, and we know the answer is 'because, we can.'
anonymous coward, CCSE
not a linux god, a networking demi-god.
Ive installed probably over a hundred of Nokias in the field, so ive seen a lot with these machines...
;)
:)
/boot patition on a Linux box - its does not contain BIOS stuff...
In terms of support, everyone here is right - stick with IPSO so you dont void your warranty! Nokia IPSO is a great os for Check Point, and supports all the features Check Point supports (except the Reporting Module server - its Wind0ze only - well until NG FP4...
I have a few customers that have installed Secure Platform (customized, hardended RedHat 7.2 with a shell to ease administration - in NG FP4 contains a web gui similar to their SOHO Home products) All of these customers have expired hardware contracts so its no big deal to them. The IP330 and IP440 are quite out-dated now... Netfilter does not need much power though
I agree CheckPoint is a little pricy, but they have a feature set that nothing else touches.. yet... Cool stuff, like single-sign on transparent authentication with user logging, and centralized logging with a decent gui with reporting features. (all for a price...)
My only beef with the product is NO LINUX GUI! aarrgg... At least i can run Windows in a VM on Linux and OSX... (well, i also dont like the fact that it is closed source, but i cant do much about that...)
As for the Boot Manager, you can safely wipe that out on the IP330 if your going to Linux... Its similar to the
Wouldnt it be nice if there was a decent, cross-platform gui for distributing Netfilter rulebases to multiple Linux firewalls with a centralized logging database and a nice PHP/MySQL frontend for reporting...
Ralph Bonnell - CISSP, LPIC-2, CCSI, CCSE+, CCNA, RSA/CSE, CSFE, MCSE 2000
Cybie! aka Ralph Bonnell
having used checkpoint and ccse and ccsa courses I can say that it is a very good firewall but why would anyone want to rip out checkpoint and ipso and install linux? if you want a linux (or for my preference, freebsd) firewall then buy a 1u box and a qfe ffs. why trash a perfectly good nokia box? checkpoint is a damn good firewall even if you don't keep getting updates to the latest and greatest.
dave
Checkpoint inspection refers to layer 3-7 inspection, not just stateful inspection of IP flows. Without going into userland or writing your own module, you can't crack into headers with iptables the way you can with CP. ie, write me an iptables rule that stops all GIF images from being loaded from an arbitrary website.
CP has a language called INSPECT that lets you build any filtering rules you want. That code is compiled into the CP driver which wedges in between layers 2 and 3 on the host's network stack.
There's no point in comparing CP and IPTables, they solve two separate problems. IPTables gives you basic, stateful inspection of IP flows. CP provides a richer set of policy control, not to mention enterprise management of multiple firewalls, failover. I use iptables at home, and CP at work.
Nokia/IPSO provides an excellent platform on which to run CP, far cheaper than SUN, more reliable than Windows. SecurePlatform is still maturing, since it's based on RH 7.1 it's lacking in support for some modern cards. And, there is significant benefit to having one number to call and one person to point the finger at. Yea, I'm paying a lot of money for what is essentially an 800MHz AMD, but it's a well built one that I'm not going to worry about it falling over due to hardware problems.
Sean
We recently replaced the Nokia/Checkpoint boxen with PIX firewalls. I don't care to get into a PIX vs Checkpoint war, but lets just say it saved us TONS of $$$$ on a yearly basis.
/dev/hda for the /boot partition works like a charm.
Having seven of these IP650's sitting on a shelf, I had to wonder... what can I use them for??? Then it hit me... I need RMON type probe capabilities in my call centers around the country, and with the four port NIC's installed, these might make good candidates.
I pull the compact flash card from the 650, put it in my reader on my RH8 desktop, dd bootnet.img to it, put it back in the IP650, and boot it. Once it boots, a simple FTP load, using the compact flash card at
I've got squideral, NTOP, ethereal, and a couple of in house scripts running on each of them now collecting traffic stats, doing WCCP transparent caching, and allowing me to do remote sniffs of the call centers.
Sig??? I don't need no stinkin Sig!