Administration Made Easy


You will need to configure your Nokia when you unpack and initially install it, and you should maintain that configuration throughout the life of the device, perhaps with updates and modifications. When you think about it, administering a production firewall or other network-critical device can be quite time consuming. You have to worry about security hotfixes, OS upgrades, software patches, and routing configuration changes—and that's just for starters. We're not mentioning the day-to-day problems that can arise and interfere with your plans. You will find that Nokia has made this process quite easy, relatively speaking.

The initial configuration of the NSP is even easier than it was in the past. Previously, you had to set up a console connection to the device for first-time boot, at which time you entered device hostname and interface information, allowing a network connection to be established so that you could complete the configuration. Starting with IPSO 3.5 FCS 6, the Nokia device has a built-in Dynamic Host Configuration Protocol (DHCP) client and will configure a network interface on its own when booted for the first time, assuming you have a DHCP server available. (Actually, any time the device boots and finds a missing or invalid global configuration file, it will initiate the first-time boot sequence.) Once you have an interface configured, Nokia's Web-based administrative interface, the Voyager, can be used for just about anything you need to do as an administrator, including point-and-click operating system and firewall software upgrades (see Figure 17.1).

click to expand
Figure 17.1: Interface Configuration Through the Voyager Web Interface

For administrators who don't like to maintain one device at a time, Nokia has a product called Horizon Manager that enables remote, centralized upgrades and maintenance of multiple devices simultaneously. Some of the things you can do with Horizon Manager include OS upgrades, hotfix applications, system backups, firewall configuration, and remote command execution.

If you only have a console connection to your Nokia device or you're someone who likes to live at a command prompt, you won't be disappointed. Voyager can be used over a console connection from the IPSO shell with the text-mode browser Lynx (see Figure 17.2).

click to expand
Figure 17.2: Package Management Through the Lynx Interface

A command-line tool called iclid can be used to show and monitor various configuration settings. iclid has a syntax quite similar to that of Cisco's Internetworking Operating System (IOS) command shell and offers the nice feature of tabbed command completion and command history display present in most modern UNIX shells. See Figure 17.3 for more details.

click to expand
Figure 17.3: Displaying VRRP Status Using iclid

Because IPSO is based on UNIX and boots into a standard C-shell (csh), UNIX power users will feel quite at home here (see Figure 17.4). Beware, though, that changes made through standard command-line utilities such as ifconfig or route or edits to system configuration files will not normally persist across system reboots or even across changes made with Voyager. However, there are ways to use the standard tools to make permanent changes.

click to expand
Figure 17.4: Output of Common Shell Commands

Finally, Nokia has gone to some effort to harden the IPSO operating system and provide a solid and secure basis from which to run a firewall, IDS sensor, or router. IPSO itself is based on FreeBSD UNIX and has been pared down in size to about 30MB. The root partition is mounted read-only; unnecessary network services have been turned off; no compiler, development tools or libraries are present (with the notable exception of GDB, the GNU debugger, which is useful for crash analysis); and the hard drive is partitioned for you in a sane and sensible fashion. There are very few UNIX manual pages, and, as you might expect from a 30MB OS, all but the most essential system binaries are gone.




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net