Linux on Nokia IP Series Hardware 138
Anonymous Coward writes "Michael Rash has written a howto for the Linux Journal on getting Linux to run on a Nokia IP 330. Now we can use a free firewall on a platform normally designed to run Check Point Firewall-1. In these troubling times where IT departments all across the landscape are trying to reduce costs, this will allow companies to say 'No' to expensive support contracts and upgrade costs and still maintain security without having to buy new hardware."
Finally some good news! (Score:4, Informative)
Go calculate [webcalc.net] something
Re:Finally some good news! (Score:5, Insightful)
Yes, I was also shocked when I found out auto makers wouldn't give me the latest car model every time they upgraded the design. Or that I didn't automatically get later editions of textbooks. Or that I didn't get a free sixpack of Vanilla Coke despite all those Classic Cokes I've bought. Or that I don't get a new HDTV, even that I've been a loyal user of my last one for ten years.
One purchase does not entitle you to free products for life. Networking products are no different. Neither is software. You can't afford to pay the engineers to work on the upgrade unless you pay for the upgrades. (The only alternative is to pay for them all up front -- but then you wouldn't buy that very expensive product compared to its competitors, now would you?)
Re:Finally some good news! (Score:2)
Re:Finally some good news! (Score:1)
Unfortunately, the problem arises when I'm buying a product and the support contract so that at the end of twelve months I finally get the working product that I wanted in the beginning.
I'm going to have to vote in favor of Microsoft's model on this one...charge for new products, but offer service packs for free.
Re:Finally some good news! (Score:1)
>Yes, I was also shocked when I found out auto makers wouldn't give me the latest car model every time they upgraded the design.
A better analogy would be Car makers recalling and repairing serious design flaws in their product for free... which is what they do (in the UK at least).
Re:Finally some good news! (Score:1)
Re: Finally some good news!? (Score:3, Insightful)
First off, the whole cost factor that people continue to bring up blows my mind. Any company with any knowledge of doing risk analysis will know that paying $50k a year, say, on securing your companies life-blood (trade secrets, source code, credit card numbers, etc.) is nothing. If your company can not afford this kind of money for proven security solutions, then you're obviously looking at the wrong supplier, or the wrong product fro
Re: Finally some good news!? (Score:1)
Re: Finally some good news!? (Score:2)
Like microsoft. Yeah, that model works really great.
Re: Finally some good news!? (Score:3, Interesting)
dave
Re: Finally some good news!? (Score:2)
Absolutely. Besides, the one-time cost of the hardware is trivial and can be depreciated over the course of a few years. The only issue that really matters are the on-going support costs and the headcount to maintain it.
T
Re: Finally some good news!? (Score:2)
--
Re:Finally some good news! (Score:2)
Re:Finally some good news! (Score:5, Insightful)
I hate this sentiment. It doesn't do the network or the business any good to be able to point a finger. It does you some good though, as you're not responsible for it in managment's eyes. So, not only are you paying out the arse for support, you're also suffering downtime. Wonderful!
Nobody considers it your fault though, unless you didn't have a good reason for picking your vendor. If everybody thought the vendor was a good one then you're okay. Well, the end of the fiscal year comes around and your department spent all of it's money and didn't achieve it's goals. The internal IT team sticks their thumbs up their collective asses and points the index finger of their free hand at the vendors. Business conclusion at this point: The department costs too much and provides too little. Outsource it or cut it.
You still lost your job.
Maybe I'm idealistic but it frightens me how many people only do enough to keep their job safe without thinking about the company's benefit as a whole.
Perhaps I'm a bit jaded though. A recent project that I've been working on just illustrates the point that your vendor isn't employing hundreds upon hundres of Supermen. In fact, their employees might be just damned near retarded sometimes. Their engineers have deadlines to meet and they can't meet those deadlines if you're still finding bugs in their recently released product and demanding fixes for them. It really doesn't matter how much money you put into them -- they're still only human. No amount of cash will change that.
Re:Finally some good news! (Score:2)
damn right. esp as alot of these companies have woefully expensive and just generally woeful support anyways. if there is a problem, it's nice to say "it wasn't my fault, I did all I could" but surely it's more important not t
Re:Finally some good news! (Score:2)
Re:Finally some good news! (Score:1)
Amen, brother. Pass the plate.
Re:Finally some good news! (Score:1)
"now we have" (Score:5, Interesting)
this is nothing new.
the nokia IP boxes run IPSO
now, why you'd buy a several thousand dollar p2-450 to begin with, i can't say.
devil's advocate (Score:5, Interesting)
we have a number of nokia's where i work (it's a university
granted, they are based on older hw (p2-450s, early p3s, etc). however, what you're paying for is CYA and management. if it breaks, you call nokia or whomever is responsible for providing support for it.
IPSO does one thing, *very* well. personally, i'm of the opinion of a decently spec'd out box running obsd w/pf, but only because i manage the box. some may like linux with iptables or whatever.
suppose you go the obsd/linux route on an off-the-shelf i386 machine. 1. you buy the machine. 2. you have to pay someone to manage it. rough guesstimation, but i see it a *lot* cheaper to buy a few nokia boxes and pay the fw-1 license fees. my dept is already incurring my salary, so we decided to get an i386 box (dell pe1650), two 4 port ethernet cards, and get on with it. it works great. if that thing breaks though, it's my ass. plus, if i leave, someone will need to know how to manage it. the uni where i work going with nokias
Re:"now we have" (Score:4, Interesting)
Lately, however, I've had differing opinions of Nokia. Why should I pay $4K for an AMD processor and then $1500 a year for support? It's insane! I could take a $4K HPaq DL360 and install Check Point's (free) SecurePlatform on it. Hands down 10000% better performance, and SecurePlatform (RedHat) is a supported Check Point SKU on commodity hardware. A drive pops on an IP330? You're screwed.
The only major benefit I can think of in regards to this article is the Linux/IPSO performance numbers I've read about... I've heard that Linux will hands down outperform IPSO, but have _not_ done any formal testing myself. If I could take an IP330, install RedHat 7.3 (like I have running my management server), and then FW1, plus still have the remote managability (using the internal modem), I'd think about it. The article doesn't say a thing about the internal modem (an additional option), but I'm betting that it ain't gonna work.
my
Re:"now we have" (Score:2)
Interesting, but why? (Score:2, Interesting)
Well we'd better put an end to THAT!
Seriously though... What does the checkpoint hardware have to offer? And even if it has something wonderful, wouldn't it make more sense to use, say, FreeBSD on it?
Re:Interesting, but why? (Score:2)
CheckPoint is a software firewall package and nothing more. It will run on many platforms including Nokia devices running IPSO; but it will also run on Linux, Solaris and Windows 2000, just to name a few.
In essence, the Nokia hardware is a security appliance which is optimized for network throughput. IPSO is essentially a hardened BSD; you can run an SSH daemon, a mail server, it also supports cron jobs, etc.
In all respects, getting Linux to run on a Nokia IP device i
Re:Interesting, but why? (Score:2)
Optomized for throughput, how? It's got an AMD K6 chip, so it certainly couldn't have a 64-bit PCI bus... What is it that makes this better than a $200 1GHz+ machine, with a few Tulip network cards?
Not A Big Deal (Score:5, Interesting)
Re:Not A Big Deal (Score:2, Informative)
Good luck getting support on the box from Nokia or a reseller after something like this has been tried, with or without a support contract. You'll be told it's not supported, and nothing can be done.
Re:Not A Big Deal (Score:1)
Re:Not A Big Deal (Score:2)
Re:Not A Big Deal (Score:2)
Oh, expensive hardware never breaks? Good to know that.
Too bad no-one told our Cisco 7513 (enormously expensive when purchased) that went belly-up today and stayed that way through repeated power-cycles, in spite of dual processor cards and redundant power supplies.
Re:Not A Big Deal (Score:2)
Re:Not A Big Deal (Score:2)
But that's not the point. The point is that even famoulsy expensive stuff can break. The support contract adds to the cost. The cheaper stuff might be the better deal if you can buy 2 or 3 of them and have them ready to in the event of failure.
Re:Not A Big Deal (Score:1)
I don't get it. (Score:2, Insightful)
WTF IS HE THINKING! (Score:5, Interesting)
I have two of them, and basicaly they are a AMD 800mhz rack mountable device. Brand new...around $4,0000 without any Checkpoint software/licenses.
IDE drives, and some other typical stuff.
You would be better off buying a Dell PowerEdge rackmountable server with no OS. Or if you are using Checkpoint then save a bunch of money and skip the Nokia solution. Use checkpoint Secure OS (Redhat with lots of limitations) and put it on a Dell with 4 hour replacement. That alone would save you over $2K a year in support contracts with a Nokia Platform, and you get a faster firewall to boot!
So explain to me...WTF IS THE POINT!
Yes, Nokia IP330 are expensive solutions. And Yes so is Checkpoint. But anyone who compares Checkpoint to a Linux Free solution...well I would like to see a comparison of that. The Checkpoint firewall is a complete solution, with plugins to your security needs, and yes you ahve to pay extra cash to get it all to interact.
The linux solution is hodge podge and not even close to being remotely the same in either quality, or type of solution.
This would be like comparing MS Exchange to Sendmail. Yes, they both send emails. One is very expensive and has some nice options. The other sends mail well and some think its a better solution. The point being that with Exchange you are not paying for just an email server. It has lots of bells and whistles (dont blame exchange for viruses...Outlook yes, exchange no)
Same with Checkpoint! You are not just paying for a firewall.
So you are going to buy a expensive Nokia IP330 and install linux on it. Very amuzing....
Re:WTF IS HE THINKING! (Score:1, Insightful)
IPTables in not a Inspection type firewall.
So another reason this would not make sense.
Re:WTF IS HE THINKING! (Score:2)
What is true is that CheckPoint's SMLI architecture has a lot of flexibility inherent in its design that Netfilter doesn't. OTOH, I haven't seen anything that uses it. I would have thought that CKPT would have added better support for sophisticated protocols by now (e.g. NetBIOS, NetMeeting, DCE-RPC).
--
Wrong again (Score:2, Informative)
CP has a language called INSPECT that lets you build any filtering rules you want. That code is compiled into the CP driver which wedges in between layers 2 and 3 on the host's network sta
Re:Wrong again (Score:2)
iptables -I INPUT -j DROP -p tcp -s 101.102.103.104/32 --sport 80 -m string --string "GIF89a"
OK, that's a bit brutal, and it could do with a "only match between byte ranges xx and yy of the stream", but that'll come, I'm sure (besides, you said "all GIF images", and it's as hard to do that completely [i.e. including GIFs embedded in other file types such as .doc and .tar] and solely with iptables as it
Re:Wrong again (Score:1)
OK, that's a bit brutal, and it could do with a "only match between byte ranges xx and yy of the stream", but that'll come, I'm sure (besides, you said "all GIF images", and it's as hard to do that completely [i.e. including GIFs embedded in other file types such as .doc and .tar] and solely with iptables as it is with INSPECT - using a filtering proxy would be a better approach).
That exactly command in iptabl
Re:Wrong again (Score:2)
But yes, that is a problem with doing it at this layer, rather than with a filtering proxy. To do it properly you need to build all sorts of recursive file decomposition stuff (.doc, .tar, .gz, .zip, etc.) into a kernel module or INSPECT code (ewww!) or your policy ends up being too weak, or too strong. That's probably a hint that this is the wrong place to be performing this kind of filtering.
If all you wanted to
Re:Wrong again (Score:1)
Write me an INSPECT rule.
I can't see how this is done, except by using the Security Servers, which are Proxys. (and god-awful proxys, besides)
re: CheckPoint (Score:1)
Licensing and pricing suck , but it sure is nice to quickly push a firewall policy to several endpoints at once. Failover solutions are hella easy also.
(Although typing in "failover" on PIX [cisco.com] is hella nice)
Re: CheckPoint (Score:1)
Re: CheckPoint (Score:2)
www.bsdshell.net
dave
Re: cisco's vrrp patent (Score:1)
(based on this mail [gmane.org] on ietf vrrp maling list)
Re:how about the ip650? (Score:2)
I would recommend unscrewing the hard drive from the C-PCI adapter board, and using an IDE adapter to plug it into a standard PC. As long as the drive is active, it *should* work when put into the 650. The problem with that machine is that the VGA connector is impossible to get to when the case is assembled. (and it needs to be assembled in
Re:how about the ip650? (Score:1)
The bootloader must be on the CF card at
Joe
Re:how about the ip650? (Score:1)
CF installed as
dd if=bootnet.img of=/dev/sda
Then put the CF card back in the 650, boot it, and run the ftp based install from your local ftp server. Make sure when you format your drives that you put
Joe
It's not even a hack anymore (Score:3, Insightful)
Running an OS isn't something to crow about.
Neither is replacing a BSD with Linux.
IPSO is More than Security (Score:4, Interesting)
Re:IPSO is More than Security (Score:5, Informative)
these three things and the management system make ipso a good software routing platform.
which doesn't really offset the cost of what is a pretty sluggish pc
But WHY? (Score:5, Insightful)
But why would I want to run it on a Nokia box? Typically, firewall vendors sell the box's hardware and software support together. So, if you're not paying the software support, you have no hardware support. If you're using Linux to save costs, and it fries its power supply, you're SOL.
For the amount of CPU power that you get in the Nokia, you're better off if you buy a good, high-quality PC (We use Dell PowerEdge), throw a few NICs in it, and run Linux on it. The PC will be cheaper, include hardware support, and be easily field-servicable by any PC tech.
Re:But WHY? (Score:1)
C'mon, if you're gonna troll, at least try.
Re:But WHY? (Score:1)
Well, in case of network infrastructure there are no PCs at all (for serious company). And vendors are Cisco, Foundry, NOKIA, Juniper, Nortel etc...
Re:But WHY? (Score:1)
Having a support plan is important. Purchasing support from Cisco or Nokia is one option. For many situations, we are finding that an organized, thought out self-support plan for an open source solution is providing better quality support than the commercial vendors can provide
Re:But WHY? (Score:2)
--
Re:But WHY? (Score:1)
If you're using Linux to save costs, and the hardware fries it's PSU, how will they find out before they replace the PSU and try to power the unit up again?
I know they probably ask questions like that, but until the hardware boots up, they only have your say-so as to what's installed on it.
What's the point? (Score:2, Insightful)
Also, given the very high cost of these boxes, and the fact that (with FW resource usage so low) they won't become obsolete any time soon, why not just leave it alone? How does this save anyone any money
Nokia IP440 running Windows 98 (Score:3, Interesting)
On the Nokia series, you pay a premium for A) Nokia's OS (NetBSD-based, I believe, which has VRRP for failover), B) it's interoperability w/programs like CheckPoint and ISS, and C) being able to rack it.
WAY too much of a premium, in my opinion. When the sales guys at the VAR I was at tried to push them on all our customers, I quietly directed them all to PIXen or OpenBSD.
Re:Nokia IP440 running Windows 98 (Score:1, Interesting)
Re:Nokia IP440 running Windows 98 (Score:1, Interesting)
DMCA? (Score:1, Funny)
I mean you just hardware hacked a device to make it work.
For example spoofing the NIC's that were designed to work only with an IPSO solution.
Just a thought....
Dude! Your going to Jail!
Next time buy a Dell-
Compiler -- on a firewall? (Score:5, Interesting)
> Once the new partition table is saved there is no going back; both IPSO and Check Point FW-1 are gone.
Of course, if I were the one doing the installation I'd backup the original drive contents so I could always go back to original configuration (in case of screw up, or if I wanted to sell the unit on e-bay, etc.) It's only 8 Gb...
> When it comes time to install the various packages, select only Network Support and then go into the Select Individual Packages section and add GCC, autoconf and ncurses.
GCC on a firewall box?! Sounds like a new tool of terror for the scrip7 kiddies.
Nice article though. Nothing like putting the screws to those closed source, code hoarding, proprietary software vendors.
Re:Compiler -- on a firewall? (Score:2)
This seems to be a common misconception. Cutting down software present on a fw brings you NO extra security. Even if you're running it from a read-only meadia it makes no difference, because you'd still need som
Re:Compiler -- on a firewall? (Score:1)
And don't come telling me that it's worth something to prevent most script kiddies, because that's just not true for two things
1) preventing only some crackers, however large portion of them, is not
Re:Compiler -- on a firewall? (Score:1)
I've thought about this.. Not enough $$ to start (Score:1, Interesting)
My idea is to have a small box (running a via cpu) and have 3 nics in it. Lets call then eth0, eth1, and eth2. Eth0 and Eth1 would be a frame and packet discriminatory firewall capible of maintaining quotas. The quotas would be set up in user/group/all settings which would bind MAC or IP for quota s
WatchGuard Next? Please? (Score:1)
Hey, WatchGuard has been running on a Linux 2.x kernel for a while now - - sure would be nice to be able to put their software on a box of my choosing. Their stuff is pretty pricey . . .
Too bad I'm not a real coder, maybe I'd try it myself. As firewalls go, WatchGuard's a pretty good one.
Why do this? (Score:5, Insightful)
This article brings up the question: why would anyone consider installing Linux on the Nokia appliance? The answer: they wouldn't. Here are the reasons.
1. If the hardware is used/old, it is outdated by today's standards. For $800 including hardware support you can get a nice rackmount Dell server and run Linux on it. The performance boost would be many many times what you can get on the Nokia.
2. The Nokias hold their resale value better than a system with the same hardware specs. An older 330 can still fetch a decent amount on Ebay. Right now, there is one that has a buy-it-now price of $1,199.00. Why do you want an AMD 233 with no hardware support when you can sell it and buy yourself an 850MHz Celeron with support and then pocket $300?? It doesn't make sense.
3. Presumably, if you already have the Nokia then you have Check Point as well. Why ditch it for a the Linux firewall? The management, logging, and OPSEC features of Check Point outweigh the benefits of switching to Linux.
I think the Nokia/Check Point solution is great. I just don't think that trying to run an unsupported OS on the platform is worth it. Look at the cost/benefit of a new system. It makes a lot more sense to "budget-strapped IT departments."
-shox
The poster must be joking... (Score:5, Informative)
Second you'd be crazy to ditch Checkpoint FW1 for iptables. I run a few FW1's at work, and have Linux+iptables at home, but I'd never exchange the two. Try to create a distributed, system-wide network policy with 5 clustered (stateful failover capable) enforcement points, some of which doing CVP-based email antivirus on the fly and tell me how easy it is with Iptables. And, get it to NAT Oracle sqlnet v2 sessions when someone decided not to run it on port 1521 "for added security" (aargh).
Third, don't *have* to pay for yearly support contract, but usually you *want* to. You have an initial cost depending on the FW1 license (50-node, 250-node or unlimited) and then you keep paying for two things called support and accountability, which matter a lot in the business sector. And that's exacly why Linux, to really flourish in the business sector, at the moment has more need of companies professionally supporting it (for $$$) than developers.
Don't get me wrong, I am a loyal, happy, avid Linux supporter and make my living out of it. I love Slackware and have come to rely on it like I could do with nothing else, but from the AC's comment it looks like he really got it totally wrong and never wondered *why* someone should pay for a professional product.
Re:The poster must be joking... (Score:1)
Re:The poster must be joking... (Score:1)
To turn a Nokia IPSO/Checkpoint firewall into a Linux based firewall would be down right silly.
I used to work for a company doing Nokia IPSO/Checkpoint firewall management. My job was a dream there because of how well the system is put together.
I've never seen any specs on how well iptables handles connections, and I would imagine it would depend greatly on how well your system is set up, but I've seen a Nokia IP440 running I
WTF is the point? This is what the point is... (Score:1)
Not to mention you usually need to upgrade the IPSO when you upgrade to the l
Worst of both worlds (Score:1)
Get the half-assed Linux support of Checkpoint
together with the sub-par performance of the overpriced IP330. Now THATs a real good point...
Bootmgr (Score:1)
Opinions from LOTs of experience... (Score:3, Interesting)
In terms of support, everyone here is right - stick with IPSO so you dont void your warranty! Nokia IPSO is a great os for Check Point, and supports all the features Check Point supports (except the Reporting Module server - its Wind0ze only - well until NG FP4...
I have a few customers that have installed Secure Platform (customized, hardended RedHat 7.2 with a shell to ease administration - in NG FP4 contains a web gui similar to their SOHO Home products) All of these customers have expired hardware contracts so its no big deal to them. The IP330 and IP440 are quite out-dated now... Netfilter does not need much power though
I agree CheckPoint is a little pricy, but they have a feature set that nothing else touches.. yet... Cool stuff, like single-sign on transparent authentication with user logging, and centralized logging with a decent gui with reporting features. (all for a price...)
My only beef with the product is NO LINUX GUI! aarrgg... At least i can run Windows in a VM on Linux and OSX... (well, i also dont like the fact that it is closed source, but i cant do much about that...)
As for the Boot Manager, you can safely wipe that out on the IP330 if your going to Linux... Its similar to the
Wouldnt it be nice if there was a decent, cross-platform gui for distributing Netfilter rulebases to multiple Linux firewalls with a centralized logging database and a nice PHP/MySQL frontend for reporting...
Ralph Bonnell - CISSP, LPIC-2, CCSI, CCSE+, CCNA, RSA/CSE, CSFE, MCSE 2000
Re:Opinions from LOTs of experience... (Score:2)
Re:Opinions from LOTs of experience... (Score:2)
Keep in mind that the Solaris Motif GUI costs 1000$ per firewall, and is licensed on the firewall. (not the client itself) Which means that in a reseller scenario, I would have to sell every one of my customers that 1000$ Motif GUI license
Ca$h Money (Score:2)
Well, the choice actually is, pay another company to maintain/support it, or pay a linux geek in-house to do it. I would argue that for many reasons, the former is more economical than the latter. If you pay for a support contract, you benefit from the econom
Re:Ca$h Money (Score:1)
Why I run RH on Nokia IP650's. (Score:2, Interesting)
Having seven of these IP650's sitting on a shelf, I had to wonder... what can I use them for??? Then it hit me... I need RMON type probe capabilities in my call centers around the country, and with the four port NIC's installed, these might make good candidates.
I pull the compact flash card from the 650, put it in my reader on my
Someone must have finally gotten it to work (Score:2)
Re:What about a VPN (Score:1)
http://www.allard.nu/openbsd