Slashdot Mirror
Linux on Nokia IP Series Hardware
Anonymous Coward writes "Michael Rash has written a howto for the Linux Journal on getting Linux to run on a Nokia IP 330. Now we can use a free firewall on a platform normally designed to run Check Point Firewall-1. In these troubling times where IT departments all across the landscape are trying to reduce costs, this will allow companies to say 'No' to expensive support contracts and upgrade costs and still maintain security without having to buy new hardware."
a way to void that warranty
... a hardened freebsd. people have been removing IPSO and install fbsd for quite some time.
this is nothing new.
the nokia IP boxes run IPSO
now, why you'd buy a several thousand dollar p2-450 to begin with, i can't say.
vodka, straight up, thank you!
The Nokia IP series hardware is nothing more than older AMD K6 processor with a small amount of RAM by todays standards. You'd be better off with a $300 PC from Wal-Mart and a couple network cards. Don't get me wrong, I love the fact that Linux continues to spread to new area, but it has to be put into perspective.
Okay first off. A Nokia IP330 isnt worth jack!
I have two of them, and basicaly they are a AMD 800mhz rack mountable device. Brand new...around $4,0000 without any Checkpoint software/licenses.
IDE drives, and some other typical stuff.
You would be better off buying a Dell PowerEdge rackmountable server with no OS. Or if you are using Checkpoint then save a bunch of money and skip the Nokia solution. Use checkpoint Secure OS (Redhat with lots of limitations) and put it on a Dell with 4 hour replacement. That alone would save you over $2K a year in support contracts with a Nokia Platform, and you get a faster firewall to boot!
So explain to me...WTF IS THE POINT!
Yes, Nokia IP330 are expensive solutions. And Yes so is Checkpoint. But anyone who compares Checkpoint to a Linux Free solution...well I would like to see a comparison of that. The Checkpoint firewall is a complete solution, with plugins to your security needs, and yes you ahve to pay extra cash to get it all to interact.
The linux solution is hodge podge and not even close to being remotely the same in either quality, or type of solution.
This would be like comparing MS Exchange to Sendmail. Yes, they both send emails. One is very expensive and has some nice options. The other sends mail well and some think its a better solution. The point being that with Exchange you are not paying for just an email server. It has lots of bells and whistles (dont blame exchange for viruses...Outlook yes, exchange no)
Same with Checkpoint! You are not just paying for a firewall.
So you are going to buy a expensive Nokia IP330 and install linux on it. Very amuzing....
There is more to IPSO, the net OS that runs on the Nokia 330, than just a hardened freeBSD. The networking protocols are coded deep into the kernel, and have been highly optimized. To run a vanilla Linux on the box means that net routing will just become another application to the OS, along with the corresponding hit to performance.
I'm a network guy for a fairly large company. We use Linux all over the place, including firewalls. Frankly, I'm quite impressed; we've found it to be far more supportable than even the best commercial products.
But why would I want to run it on a Nokia box? Typically, firewall vendors sell the box's hardware and software support together. So, if you're not paying the software support, you have no hardware support. If you're using Linux to save costs, and it fries its power supply, you're SOL.
For the amount of CPU power that you get in the Nokia, you're better off if you buy a good, high-quality PC (We use Dell PowerEdge), throw a few NICs in it, and run Linux on it. The PC will be cheaper, include hardware support, and be easily field-servicable by any PC tech.
When I first started with technology I was shocked to learn that you had to pay for upgrades
Yes, I was also shocked when I found out auto makers wouldn't give me the latest car model every time they upgraded the design. Or that I didn't automatically get later editions of textbooks. Or that I didn't get a free sixpack of Vanilla Coke despite all those Classic Cokes I've bought. Or that I don't get a new HDTV, even that I've been a loyal user of my last one for ten years.
One purchase does not entitle you to free products for life. Networking products are no different. Neither is software. You can't afford to pay the engineers to work on the upgrade unless you pay for the upgrades. (The only alternative is to pay for them all up front -- but then you wouldn't buy that very expensive product compared to its competitors, now would you?)
seeing some other posts ...
... i work tech for a dept. the nokias belong to the uni, so i don't work on 'em), mostly 330s and 440s.
... it's (ipso/fw-1) a common platform in that niche, so it'd be much easier to find someone else that knows how to manage them, and, they have nokia to have fix problems.
we have a number of nokia's where i work (it's a university
granted, they are based on older hw (p2-450s, early p3s, etc). however, what you're paying for is CYA and management. if it breaks, you call nokia or whomever is responsible for providing support for it.
IPSO does one thing, *very* well. personally, i'm of the opinion of a decently spec'd out box running obsd w/pf, but only because i manage the box. some may like linux with iptables or whatever.
suppose you go the obsd/linux route on an off-the-shelf i386 machine. 1. you buy the machine. 2. you have to pay someone to manage it. rough guesstimation, but i see it a *lot* cheaper to buy a few nokia boxes and pay the fw-1 license fees. my dept is already incurring my salary, so we decided to get an i386 box (dell pe1650), two 4 port ethernet cards, and get on with it. it works great. if that thing breaks though, it's my ass. plus, if i leave, someone will need to know how to manage it. the uni where i work going with nokias
vodka, straight up, thank you!
Some thoughts I had when reading the article:
;-) It might be a good idea to delete the compiler after everything has been configured, or even better, don't install it and build any necessary packages on another server, then transfer the binaries to the firewall.
:-D
> Once the new partition table is saved there is no going back; both IPSO and Check Point FW-1 are gone.
Of course, if I were the one doing the installation I'd backup the original drive contents so I could always go back to original configuration (in case of screw up, or if I wanted to sell the unit on e-bay, etc.) It's only 8 Gb...
> When it comes time to install the various packages, select only Network Support and then go into the Select Individual Packages section and add GCC, autoconf and ncurses.
GCC on a firewall box?! Sounds like a new tool of terror for the scrip7 kiddies.
Nice article though. Nothing like putting the screws to those closed source, code hoarding, proprietary software vendors.
I track known Slashdot scumbags on my foes list!
As a bit of background, I work for an established Check Point and Nokia partner. We regularly sell large numbers of these firewalls to enterprise customers. They are as reliable and full-featured as a firewall gets.
This article brings up the question: why would anyone consider installing Linux on the Nokia appliance? The answer: they wouldn't. Here are the reasons.
1. If the hardware is used/old, it is outdated by today's standards. For $800 including hardware support you can get a nice rackmount Dell server and run Linux on it. The performance boost would be many many times what you can get on the Nokia.
2. The Nokias hold their resale value better than a system with the same hardware specs. An older 330 can still fetch a decent amount on Ebay. Right now, there is one that has a buy-it-now price of $1,199.00. Why do you want an AMD 233 with no hardware support when you can sell it and buy yourself an 850MHz Celeron with support and then pocket $300?? It doesn't make sense.
3. Presumably, if you already have the Nokia then you have Check Point as well. Why ditch it for a the Linux firewall? The management, logging, and OPSEC features of Check Point outweigh the benefits of switching to Linux.
I think the Nokia/Check Point solution is great. I just don't think that trying to run an unsupported OS on the platform is worth it. Look at the cost/benefit of a new system. It makes a lot more sense to "budget-strapped IT departments."
-shox
Fist of all, the Nokia firewall appliances already run a stripped-down and hardened *nix (freeBSD-derivative) so this is not exactly new. People have been replacing it with a home brewed distro for a while, for the fun of it.
Second you'd be crazy to ditch Checkpoint FW1 for iptables. I run a few FW1's at work, and have Linux+iptables at home, but I'd never exchange the two. Try to create a distributed, system-wide network policy with 5 clustered (stateful failover capable) enforcement points, some of which doing CVP-based email antivirus on the fly and tell me how easy it is with Iptables. And, get it to NAT Oracle sqlnet v2 sessions when someone decided not to run it on port 1521 "for added security" (aargh).
Third, don't *have* to pay for yearly support contract, but usually you *want* to. You have an initial cost depending on the FW1 license (50-node, 250-node or unlimited) and then you keep paying for two things called support and accountability, which matter a lot in the business sector. And that's exacly why Linux, to really flourish in the business sector, at the moment has more need of companies professionally supporting it (for $$$) than developers.
Don't get me wrong, I am a loyal, happy, avid Linux supporter and make my living out of it. I love Slackware and have come to rely on it like I could do with nothing else, but from the AC's comment it looks like he really got it totally wrong and never wondered *why* someone should pay for a professional product.
Vacuum cleaners suck. Kings rule.
I hate this sentiment. It doesn't do the network or the business any good to be able to point a finger. It does you some good though, as you're not responsible for it in managment's eyes. So, not only are you paying out the arse for support, you're also suffering downtime. Wonderful!
Nobody considers it your fault though, unless you didn't have a good reason for picking your vendor. If everybody thought the vendor was a good one then you're okay. Well, the end of the fiscal year comes around and your department spent all of it's money and didn't achieve it's goals. The internal IT team sticks their thumbs up their collective asses and points the index finger of their free hand at the vendors. Business conclusion at this point: The department costs too much and provides too little. Outsource it or cut it.
You still lost your job.
Maybe I'm idealistic but it frightens me how many people only do enough to keep their job safe without thinking about the company's benefit as a whole.
Perhaps I'm a bit jaded though. A recent project that I've been working on just illustrates the point that your vendor isn't employing hundreds upon hundres of Supermen. In fact, their employees might be just damned near retarded sometimes. Their engineers have deadlines to meet and they can't meet those deadlines if you're still finding bugs in their recently released product and demanding fixes for them. It really doesn't matter how much money you put into them -- they're still only human. No amount of cash will change that.