Introducing the Nokia IP Series Appliances


In this chapter we look at the specifications and uses of the six enterprise models. Each model offers something that the others don't, although, of course, the higher-numbered models are considerably more expensive than the lower-numbered models.

You need to choose the model that is right for your network architecture based on your answers to the following questions. Where a model is specified, you can assume that all higher-numbered models support the desired feature, except for RAID-1, which is unique to the IP400 series. Now ask yourself these questions:

  • Do I need direct WAN connectivity? If you do, you need at least an IP330.

  • Do I need VPN capability? If you do, you need at least an IP71. The IP71 is part of Nokia's SOHO suite of appliances, which have varying user interfaces and are not discussed here.

  • Do I need Gigabit Ethernet capability? If you do, you need at least an IP530.

  • Do I need hot-swappable or redundant components? If you do, you need at least an IP650.

  • Do I need more than five Ethernet ports? If you do, you need at least an IP410.

  • Do I have more than 50 network devices that need firewall protection? If you do, you need at least an IP120.

  • Do I need VPN hardware acceleration? If you do, you need at least an IP330.

  • Do I want SSH remote access capability? If you do, you need at least an IP71.

  • Do I want hardware RAID-1 (mirroring) capability? If you do, you need an IP440 or an IP410.

Enterprise Models

Nokia's Enterprise models all come bundled with full versions of Check Point's FW-1/VPN-1 software, as well as full versions of ISS's intrusion detection software, RealSecure. In addition, they all offer dynamic routing protocols and other routing configuration features (including VRRP for fail-over configurations), so firewall network integration does not have to include a separate router in most cases. Apart from the IP120, all in this series are upgradeable to varying degrees, since they are essentially PCs with off-the-shelf components and Nokia's IPSO operating system. Remember that although firewall and IDS software comes bundled with the Nokia, you still need to purchase a license from the vendor or a reseller prior to using the product. Both Check Point and ISS offer time-limited evaluation licenses for those who want to test implementations prior to purchase.

IP120

The IP120 strikes a good balance among features, performance, and cost for the small to medium-sized office. It is the first in the IP series of appliances to run on the IPSO operating system, and it is the first to support the full version of Check Point's FW-1. With 128MB of RAM, it is also able to handle full Check Point Next Generation (NG) installations. It is also the first appliance to support dynamic routing protocols through the IPSO routing daemon and has all the "standard" remote access protocols implemented, including File Transfer Protocol (FTP), Secure Shell (SSH), and Hypertext Transfer Protocol/Secure Hypertext Transfer Protocol (HTTP/HTTPS). As stated earlier, the IP120 is not upgradeable as the other models are; it has the small form factor of a SOHO appliance but with more features, including the following:

  • Three on-board 10/100 Ethernet ports

  • Two serial ports (AUX and console)

  • 128MB RAM

  • A National GX1, 300MHz CPU

  • Static routing capability

  • Dynamic routing, including RIP ng, OSPF, IGMP, VRRP, and optionally IGRP and DVMRP (the latter two require purchase of a license)

  • BOOTP/DHCP relay capability

  • IPv6 support

  • SNMP v3 support

  • Telnet, FTP, HTTP/HTTPS, and SSH servers

  • Full version of Check Point FireWall-1, including full remote and site-to-site VPN capabilities

  • Full version of ISS RealSecure

IP330

The IP330 is the first in the IP series that adds wide area network (WAN) support to its list of features. Supported protocols include Point-to-Point Protocol (PPP), Frame Relay, High-Level Data Link Control (HDLC), asynchronous transfer mode (ATM), Integrated Services Digital Network (ISDN), V.35/X.21, T1/E1, HSSI, and Fiber Distributed Data Interface (FDDI). A two-port Ethernet card can be added, giving the IP330 a maximum of five Ethernet interfaces. An analog modem can be added for remote, out-of-band management, and a virtual private network (VPN) hardware accelerator card is available. An internal analog modem is standard through the built-in RJ-11 port.

The IP330 has a small footprint and is rack-mountable in standard 19-inch racks, where it will only take up one unit of space. Along with the IP330's support for VRRP, this makes it ideal for stacked, fail-over implementations in small or medium-sized businesses where space is at a premium. Let's take a look at the specifications for the IP330:

  • Three on-board 10/100 Ethernet ports

  • 256MB RAM

  • K6-2, 400MHz CPU

  • Console port, RJ-11 port

  • Static routing

  • Dynamic routing, including RIP ng, OSPF, IGMP, VRRP, and optionally IGRP, BGPv4, and DVMRP (the latter three require purchase of a license)

  • BOOTP/DHCP relay capability

  • IPv6 support

  • SNMP v3 support

  • Telnet, FTP, HTTP/HTTPS, and SSH servers

  • Full version of Check Point FireWall-1, including full remote and site-to-site VPN capabilities

  • Full version of ISS RealSecure

  • WAN support

  • One compact PCI slot for add-ons

  • 1U rack-mountable

IP400 Series

The IP400 series consists of three models: the IP440, the IP410, and the IP400. None of the appliances in the IP400 series is currently available for purchase from Nokia, although they were quite popular at one time and many 400 series deployments are still in use. Nokia will continue to support the existing IP400 series user base for the foreseeable future. The IP400 and the IP410 differ only in the processor they are built around—a high-end Pentium II or a low-end Pentium II, respectively. The latest IP440 models shipped with a Pentium III processor.

Both models come with a CD-ROM drive and a diskette drive. They are distinguishable from all of the other Nokia IP models in that they have no boot manager , meaning that certain upgrades must be done using a boot diskette.

Note

A boot manager, sometimes called a boot loader, is a small program that runs just after system startup but before the operating system kernel is loaded into memory. Its main function is to load the kernel from disk into memory, which then handles normal system startup and initialization. Nokia's boot manger has gone through several changes over the years and has been present on the system hard drive, a specially formatted diskette drive, or (most recently) in flash memory, the latter to ease upgrades and provide some measure of resiliency in the event of a hard disk crash. The boot manager will, if left unattended, simply bootstrap the system with the default kernel image, but the process can be interrupted and given options from a rudimentary command shell. This functionality is typically useful, for example, to boot into "single-user" or non-networked mode for system maintenance.

No Ethernet interfaces come standard with the IP400 series; typically, at least one four-port Ethernet Quad Card is purchased, although the four PCI slots allow up to 16 Ethernet interfaces, if you choose to use that many. WAN options are the same as for the IP330: PPP, Frame Relay, HDLC, ATM, ISDN, V.35/X.21, T1/E1, HSSI, and FDDI protocols are supported.

An analog modem can be added for remote, out-of-band management, and a VPN hardware accelerator card is available. The IP400 series also provides for optional hardware RAID configuration, but only RAID Level 1 (disk mirroring) is available. Here are the specifications for the IP400 series:

  • Console and auxiliary serial ports

  • 256MB RAM standard, upgradeable to 768MB RAM

  • PIII, 600MHz CPU

  • Static routing

  • Dynamic routing, including RIP ng, OSPF, IGMP, VRRP, and optionally IGRP, BGPv4, and DVMRP (the latter three require purchase of a license)

  • BOOTP/DHCP relay capability

  • IPv6 support

  • SNMP v3 support

  • Telnet, FTP, HTTP/HTTPS, and SSH servers

  • Full version of Check Point FireWall-1, including full remote and site-to-site VPN capabilities

  • Full version of ISS RealSecure

  • WAN support

  • Four PCI slots

  • 3U rack-mountable

  • CD-ROM and diskette drives

  • Hardware RAID-1 available

IP530

The IP530 is the first in the IP series of appliances to support Gigabit Ethernet. As in the IP400 series, a maximum of 16 Ethernet interfaces are possible with the four on-board interfaces and the three PCI expansion slots. One internal PMC slot can be used for VPN hardware acceleration, leaving the PCI slots free for network interfaces if needed. WAN options are the same as for the IP330 and IP400 series: PPP, Frame Relay, HDLC, ATM, ISDN, V.35/X.21, T1/E1, HSSI, and FDDI protocols are supported. Two Type II PCMCIA slots have been added for analog modem support.

The IP530 is meant to be a high-density port device, meaning that it is useful in situations in which many network interfaces are required. The on-board Ethernet ports offer slightly more throughput than network interface devices added through the PCI bus (and consequently, the IP530 has a slightly higher interface throughput than the IP650); when coupled with Gigabit Ethernet support, this model is useful for large businesses with high throughput requirements but that do not need the carrier-class features of the 600 or 700 series. The specifications for the IP350 series are as follows:

  • Four on-board 10/100 Ethernet ports

  • Console and auxiliary serial ports

  • 256MB RAM standard, upgradeable to 768MB RAM

  • PIII, 700MHz CPU

  • Static routing

  • Dynamic routing, including RIP ng, OSPF, IGMP, VRRP, and optionally IGRP, BGPv4, and DVMRP (the latter three require purchase of a license)

  • BOOTP/DHCP relay capability

  • IPv6 support

  • SNMP v3 support

  • Telnet, FTP, HTTP/HTTPS, and SSH servers

  • Full version of Check Point FireWall-1, including full remote and site-to-site VPN capabilities

  • Full version of ISS RealSecure

  • WAN support

  • Three compact PCI slots (Gigabit Ethernet available)

  • Two Type II PCMCIA slots

  • 2U rack-mountable

IP650

The IP650 is one of Nokia's high-end firewall appliances, and is the first in the IP-series to offer carrier-class features such as hot-swappable PCI slots, fan trays, and power supplies. The IP650 does not have any on-board Ethernet ports, but has five PCI slots, and so can have a maximum of 20 Ethernet interfaces. Gigabit Ethernet is supported as well.

You can use an on-board Peripheral Component Interconnect (PCI) mezzanine card, or PMC, slot (see the sidebar "What Is a PMC slot?") for a VPN accelerator card, freeing PCI slots for network interfaces. WAN support is similar to previous models, with PPP, Frame Relay, HDLC, ATM, ISDN, V.35/X.21, T1/E1, HSSI, and FDDI protocols supported. Two Type II PCMCIA slots have been added for analog modem support.

Note

PMC is short for PCI mezzanine card, and the PMC slots that Nokia refers to in its documentation are simply PCI slots that allow an expansion card to be plugged in so that it is parallel rather than perpendicular to the motherboard. Because any PCI card you plug into a PMC slot is parallel to the board, it takes up less vertical space. For that reason, these slots are used frequently in high-density devices and smaller rack-mount devices in which space is at a premium. Nokia uses them in their 600 and 700 series devices.

According to Nokia, the IP530 has a slightly greater network interface throughput than the IP650, merely because the IP530 was designed with on-board Ethernet ports that do not need to access the PCI bus. This makes the IP650 suitable for large businesses that are more concerned about reliability than throughput. Organizations that want both will be satisfied with the 700 series, described in the following section. Here are the specifications for the IP650:

  • Console and auxiliary serial ports

  • 256MB RAM standard, upgradeable to 1GB RAM

  • PIII, 700MHz CPU

  • Static routing

  • Dynamic routing, including RIP ng, OSPF, IGMP, VRRP, and optionally IGRP, BGPv4, and DVMRP (the latter three require purchase of a license)

  • BOOTP/DHCP relay capability

  • IPv6 support

  • SNMP v3 support

  • Telnet, FTP, HTTP/HTTPS, and SSH servers

  • Full version of Check Point FireWall-1, including full remote and site-to-site VPN capabilities

  • Full version of ISS RealSecure

  • WAN support

  • Five hot-swappable PCI slots (Gigabit Ethernet available)

  • Hot-swappable fan trays

  • Hot-swappable, redundant power supply optional

  • Two Type II PCMCIA slots

  • 2U rack-mountable

IP700

The IP700 series consists of the IP710 and the IP740. Both offer the IP650's carrier-class features such as hot-swappable PCI slots, fan trays, and power supplies.

The IP700 series has four on-board 10/100 Ethernet interfaces and four PCI slots, and so can have a maximum of 20 Ethernet interfaces. Gigabit Ethernet is supported as well. The main difference between the 700 models and the previous ones is firewall throughput; Nokia claims that speeds of over 2GB per second are possible with the IP740. (See Table 17.1 for more information.)

An on-board PMC slot can be used for a VPN accelerator card, freeing PCI slots for network interfaces. WAN support is similar to previous models, with PPP, Frame Relay, HDLC, ATM, ISDN, V.35/X.21, T1/E1, HSSI, and FDDI protocols supported. Two Type II PCMCIA slots have been added for analog modem support.

The IP700 series is designed for the largest businesses that demand both performance and reliability. Let's take a look at the IP700 series specifications:

  • Four on-board 10/100 Ethernet ports

  • Console and auxiliary serial ports

  • 512MB RAM standard, upgradeable to 1GB RAM

  • PIII, 866MHz CPU

  • Static routing

  • Dynamic routing, including RIP ng, OSPF, IGMP, VRRP, and optionally IGRP, BGPv4, and DVMRP (the latter three require purchase of a license)

  • BOOTP/DHCP relay capability

  • IPv6 support

  • SNMP v3 support

  • Telnet, FTP, HTTP/HTTPS, and SSH servers

  • Full version of Check Point FireWall-1, including full remote and site-to-site VPN capabilities

  • Full version of ISS RealSecure

  • WAN support

  • Four hot-swappable PCI slots (Gigabit Ethernet available)

  • Hot-swappable fan trays

  • Hot-swappable, redundant power supply optional

  • Two Type II PCMCIA slots

  • 2U rack-mountable




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net