Although some people might question the allure of an appliance-based approach, anyone who has been under the gun supporting mission-critical firewalls when one of them decides to keel over will most likely jump on this bandwagon. The IP650 has several advantages over traditional firewall installations. The two that stand out are a simplistic approach to restoring failed units and a prehardened, as well as prepatched, operating system. It should be noted, however, that such benefits come at a price: Nokia releases recompiled versions of FireWall-1 only after official Check Point releases. This delay puts Nokia builds of FireWall-1 a little behind on the upgrade cycle, though in the past Nokia customers have been shielded from bugs Check Point has missed.

Although the Nokia IP650 has been shipping for some time, it took us a while to get our hands on one. But as soon as I received the unit, I began its integration into our production network. Unfortunately, replacing the existing Cisco Systems PIX firewall proved to be a bit more challenging than I had anticipated, primarily because of some ambiguous documentation that shipped with the IP650. But I'm not sure I can blame Nokia for this one: It seems the entire computer industry has gone the route of cheap labor when it comes to accurate documentation efforts.

Voyager Takes Flight
Once I had the IPSO image installed, I was able to access the unit via its Network Voyager Web-based interface. Network Voyager serves as the primary method for configuring IPSO and the Nokia unit. It does not, however, replace the Check Point-supplied administrator GUIs. From Network Voyager I was able to configure everything from routing protocols to interface addressing to VRRP (Virtual Router Redundancy Protocol) options. The IP650 supports OSPF, RIP, IGRP (Interior Gateway Routing Protocol) and BGP (Border Gateway Protocol). This is quite a refreshing approach to firewall management, and I think most administrators will take to it fondly. However, I was a little disturbed by the lack of SSL (Secure Sockets Layer) support when accessing the Network Voyager interface. I was forced to log in over plain HTTP, transmitting user names and passwords unencrypted. Nokia informed me that the credit for this "feature" (or lack thereof) goes to U.S. encryption laws.

Fortunately, command-line junkies and paranoid administrators will take comfort in the fact that the IP650 does come with an ssh daemon, and you can use Lynx to access the Web interface over an encrypted ssh tunnel. This combination avoids the clear-text password issues, but isn't as aesthetically pleasing. After I completed the initial IPSO configuration, I moved on to the FireWall-1 configuration. This was fairly painless after I shredded the remaining traces of the Nokia-supplied documentation that had led me awry. Once the Check Point firewall module was installed and configured, I pushed a firewall rule set to the unit from my Check Point firewall management console, just as you would with any other Check Point FireWall-1 platform. The IP650 appears to integrate into existing Check Point environments seamlessly.

Fit and Trim Design
ISPs and organizations operating remote offices will particularly like the IP650's compact and modular design. The back of the 2U-sized unit allows for redundant power supplies, while the front of the unit supports hot-swappable hard drives and an assortment of other cards. The unit I tested came with a quad Ethernet card and a removable PCI drive, and there were still four slots to spare.

Another plus is the fact that I could rebuild and reconfigure a firewall in about 20 minutes--the time it takes to restore the IPSO image and configuration files from the network. For anyone who has gone through the mind-numbing process of installing an operating system and then the 10 billion service packs, hot fixes or patches, the IP650's rebuild--simplicity in itself--comes as a welcome surprise. Upon hardware failure you simply slap in a replacement part, or even an entirely new IP650 unit, restore the IPSO image and the firewall rule set, and you're ready to go.

The IP650 also boasts a wide range of interface types--everything from token ring to ATM to actual CSU/DSU and v.35 support. Nokia also claims to do some high-availability VPN (virtual private networking) support. With a Pentium II under the hood, a solid OS, and an industry-standard firewall package, the IP650 is a real workhorse. I think our Cisco PIX just "got lost."

Greg Shipley is a Chicago-based consultant. Send your comments on this article to him at gshipley@neohapsis.com.