A firewall is a major network component; if it goes down for any reason or incor- rectly passes or doesn’t pass traffic, many services and users are affected. The worst scenario is a firewall that suddenly starts passing undesirable traffic. Do you want your firewall automatically updated without knowing exactly what is being put on it? What if the update is corrupt and stops all scanning?
In many cases, a firewall is the defense for a network. Can you afford to not use every available technology to block hostile attacks on our infrastructure? As system administrators, do you have the time to spend manually examining every definition update and then manually installing them? Would you know a corrupt update if you saw it? Your data is extremely valuable; even a minor breach could wreck havoc. You must use every available measure to protect it.
You must evaluate your environment, the risks of exposure, the cost of a security breach, and the cost of a firewall failure (both failing open and closed).
Automatic updates are always a double-edged sword. When they work, they pro- vide the most comprehensive detection of hostile traffic available. When they fail, they can leave you more vulnerable than if you didn’t scan in the first place. Most companies are well aware of their responsibility to provide accurate and com- pletely automatic updates; therefore, the worst case scenario rarely happens.
Device Architecture
The SonicWall firewall connects all of its components together using a high-speed bus configuration.The product line also utilizes a cryptographic accelerator to per- form services such as encrypting and decrypting VPN traffic, thus reducing the load across the system and increasing throughput.The hardware contained within the appliances cannot be upgraded.
The SonicWALL Product Line
The SonicWALL product line is very diverse, with products designed for everything from home office use to enterprise-class networks. All SonicWALL appliances sup- port the WebUI and the SonicWALL GMS. Additionally, some models include sup- port for a CLI. Models that include limited management with CLI are the
SonicWALL TZ 170, SonicWALL Pro 2040, and the SonicWALL Pro 4060, all run-
ning the enhanced firmware. All of the devices use flash memory as the long-term storage option. Like all of the previous brands, none of the firewalls rely on a hard disk to run. For the full and current throughput numbers on all appliances, go to www.sonicwall.com/products/vpnapp.html.
Table 4.6Overview of the SonicWALL Product Line
Maximum Firewall Estimated Model Product Class Interfaces Throughput Price Range
TZ 150 SOHO 5 (includes 30 Mbps $330–400
4-port switch)
TZ 150 SOHO 5 (includes 30 Mbps $430–500
Wireless 4-port switch)
TZ 170 Remote/branch 7 (includes 90 Mbps $370–1300 office 5-port switch)
TZ 170 SP Remote/branch 7 (includes 90 Mbps $600–750 office 5-port switch)
Analog modem
TZ 170 Remote/branch 7 (includes 90 Mbps $500–1100 Wireless office 5-port switch)
TZ 170 SP Remote/branch 7 (includes 90 Mbps $825–1100 Wireless office 5-port switch)
Analog modem
PRO 1260 Mid range 26 (includes 90 Mbps $825–1600 24-port switch)
PRO 2040 Mid range 3 (4 with 200 Mbps $1,675–2,700 Enhanced OS)
PRO 3060 High range/ 3 (6 with 300 Mbps $2,325–2,800 enterprise Enhanced OS
PRO 4060 High range/ 6 300 Mbps $4,500–5,000 enterprise
PRO 4100 High range/ 10 (Gigabit) 800 Mbps N/A enterprise
PRO 5060c/ High range/ 6 Copper 2.4 Gbps $11,000–13,000 PRO 5060f enterprise (5060c)
4 Copper;
2 Fiber (5060f)
Continued
Table 4.6 continuedOverview of the SonicWALL Product Line
Maximum Firewall Estimated Model Product Class Interfaces Throughput Price Range Content Content filter N/A N/A $2,000–1,0000 Security
Manager
2100 CF SSL VPN N/A N/A $575–700
SSL-VPN 200appliance
SSL-VPN SSL VPN N/A N/A $1,950–2,500
2000 appliance
Global VPN Client N/A N/A $50–
VPN Client
Global VPN Client/ N/A N/A $250–
Security Security Client software
GMS SonicWALL N/A N/A $2000–
Appliance Management Software
■ SOHO Designed for remote locations or remote users that need a dedicated security appliance, the SOHO line of SonicWALL firewall appliances provides enterprise-class security at a low-cost entry point.These appliances terminate a site-to-site VPN from a corporate office to a remote site for a small number of users.They have a small footprint and can easily be stacked on a table or desk. When using IPS or Gateway Antivirus for the SOHO line, the appliance does not have the ability to support a DS3 circuit’s full speed.
The SonicWALL TZ 150 is designed for small office and home office users.The TZ 150 has an integrated four-port Auto-MDIX 10/100 switch, and supports up to 2000 concurrent sessions from a maximum of 10 nodes.
Firewall throughput is around 30 Mbps, with VPN throughput around 10 Mbps.The SonicWALL TZ 150 supports two site-to-site VPN policies, and a maximum of two client VPN licenses. Like the midrange and higher-end models, the TZ 150’s firewall utilizes deep packet inspection.
The SonicWALL TZ 150 Wireless contains many of the same features as the TZ 150, but also provides support for 802.11b/g wireless networks.The TZ 150 Wireless has a built-in access point, and provides wireless guest ser- vices and wireless IDP.
Both the SonicWALL TZ 150 and the TZ 150 Wireless ship with SonicOS Standard. It is important to note that neither of the TZ 150 series can be upgraded to SonicOS Enhanced.The inability to upgrade the OS is a good reason to step up one level and deploy the TZ 170.
The SonicWALL TZ 170is an ideal solution for any small office or home office user.The base model is very versatile.The TZ 170 can be pur- chased with the ability to support ten, twenty-five, or an unlimited number of nodes.This model provides seven 10/100 interfaces, including a five-port switch. At 90 Mbps, the TZ 170 can easily support a DS3 circuit.The TZ 170 can also support up to 30 Mbps throughput for VPN traffic.The TZ 170 supports up to ten site-to-site VPN policies, and a maximum of 50 client VPN tunnels.
If running SonicOS Enhanced, the SonicWALL TZ 170 is the lowest- end model in the SonicWALL product line that can support features such as WAN failover and load balancing.The TZ 170 also provides an optional (OPT) port, which is used to provide these services. It can also be used to provide a DMZ.
The SonicWALL TZ 170 SPis the TZ 170 with an additional piece of hardware.The TZ 170 SP ensures continuous uptime for VPN con- nectivity by automatically failing over to either a second WAN connec- tion or an integrated analog modem. Once the broadband connection has been re-established, the TZ 170 SP detects the restored connection and automatically fails back, ensuring the best possible connectivity.
■ Midrange The SonicWALL PRO 1260 and SonicWALL PRO 2040 fall into the midrange category.These appliances are designed for use in branch and remote offices and small- or medium-sized businesses.They provide a solid gateway and firewall solution, and provide secure VPN access. Both appliances can be rack-mounted.
The SonicWALL PRO 1260was designed to be the core of a small business or branch office network integrated into a single appliance.The PRO 1260 provides deep inspection firewall and VPN capabilities, and a 24-port 10/100 Ethernet switch.The integrated switch also includes Auto- Medium Dependent Interface, Crossover (MDIX) support (negating the need for cross-over cables) with an unlimited number of nodes.
The SonicWALL PRO 1260 has a unique feature called PortShield archi- tecture, which provides the ability to configure each port as an individual security zone. Not only is traffic from the WAN inspected and filtered, but it can effectively filter traffic from other ports on the firewall, including the
The SonicWALL PRO 2040 is designed to be a midrange workhorse rather than an out-of-the-box core network solution. It provides three available 10/100 interfaces, and supports an additional fourth 10/100 inter- face when utilizing SonicOS Enhanced.There is no built-in switch on the PRO 2040; however, it supports an unlimited number of nodes. Like the SonicWALL PRO 1260, the PRO 2040 provides a small- or medium-sized business network with a deep inspection firewall as well as a VPN gateway.
Unlike the SonicWALL PRO 1260, the PRO 2040 supports hardware failover when SonicOS Enhanced is installed.
Both the SonicWALL PRO 1260 and the PRO 2040 support several advanced features, including WAN/WAN failover, ISP failover, and load balancing. Both appliances come bundled with a 30-day subscription of services, including gateway antivirus, anti-spyware, IPS, and the SonicWALL Premium content filter service.
■ Enterprise Class These appliances are designed for use in large, complex networks, where higher throughput and additional segmentation of the net- work is needed.They are designed to provide a solid gateway and firewall solution, and to provide secure VPN access. All appliances in this class are rack-mountable.
Although at the lower end of the large business and enterprise-class appliances, the SonicWALL PRO 3060 is well-suited for any complex environment. It comes standard with SonicOS Standard and includes six customizable 10/100 network interfaces. With support for up to 128,000 concurrent connections, the PRO 3060 is designed to handle a large amount of traffic without losing efficiency.
The SonicWALL PRO 4060 steps up the performance from the SonicWALL PRO 3060. It ships from SonicWALL with SonicOS
Enhanced preinstalled, providing for object-based management out-of-the- box. Like the SonicWALL PRO 3060, the PRO 4060 provides six 10/100 user-configurable network interfaces. What separates the PRO 4060 from the SonicWALL PRO 3060 is the emphasis placed on acting as a VPN concentrator.The VPN throughput is more than double that of the PRO 3060 and has a larger connection table, supporting up to a half million con- current connections. Distributed wireless LAN capabilities allow easy inte- gration of advanced WLAN services within existing network and security architectures utilizing SonicWALL SonicPoints.
The SonicWALL PRO 4100 is designed for higher traffic environments with many network segments. Providing 10GB network interfaces, the
PRO 4100 builds on the high-end VPN performance of the SonicWALL PRO 4060 and introduces the SonicWALL Clean VPN feature.This ensures that mobile user connections and branch office traffic are decon- taminated to prevent vulnerabilities form being introduced via remote con- nections. SonicOS Enhanced is standard.
The SonicWALL PRO 5060c and 5060f round out the SonicWALL firewall appliance offerings. Both the PRO 5060c and the PRO 5060f have similar specifications, the major difference being the available interfaces.The PRO 5060c offers six copper interfaces, while the PRO 5060f offers four copper interfaces along with two fiber interfaces.These two appliances offer the utmost in network throughput and comes standard with SonicOS Enhanced.
Management
SonicWALL offers the easy-to-use WebUI integrated into SonicOS to manage SonicWALL appliances.The WebUI is an ideal solution to manage a small number of appliances (e.g., four to five remote sites or a few telecommuters). However, what if your organization consists of ten or more branch offices? What if you are a man- aging many SonicWALL appliances for clients? Managing each individual firewall is a huge chore. Furthermore, how do you consolidate the logs of these devices? Is it practical to use a simple syslog server to manage all of those devices? The solution is the SonicWALL GMS, which can manage many SonicWALL appliances from one easy-to-use interface.
The SonicWALL GMS provides administrators with the following benefits:
■ Unified management interface
■ Lower administrative costs
■ Centralized logging
■ Simplified VPN deployment
Each individual device is imported into the GSM where individual aspects of the firewall can be managed.You can add and delete security zones, create new access rules, and tweak existing access rules. If you have dozens of locations that need the same policy, you can easily deploy that policy to all of those devices. If you need to make a change to that policy, instead of accessing each device individually, you can make the change to the policy and then update all of the policies at once.This simplifies large-scale deployments and allows you to gain more control over the enterprise’s security as a whole.The GMS also brings logging to one central location
to be stored for historical purposes and monitors it in real time.This takes the guess- work out of determining what is happening to your secured infrastructure.
Nokia Hardened Appliances
The NSP offers enterprise-class security with Check Point software running on Nokia IPSO, a hardened OS on purpose-built, high-performance hardware.
Technologies
Nokia IPSO is a UNIX-based, appliance-optimized, security-hardened, cluster- able OS capable of supporting a wide range of Nokia and partner security applica- tions. Built-in IP routing functionality, including IPV6 standards compliance, makes it capable of internetworking with customer IP networks. Nokia’s Web-based administrative interface, the Voyager, can be used for just about anything, including point-and-click OS and firewall software upgrades (see Figure 4.2).
Figure 4.2Interface Configuration Through the Voyager Web
If you only have a console connection to your Nokia device or prefer a com- mand prompt interface, you can use Voyager over a console connection from the IPSO shell (see Figure 4.3).
A command-line tool called iclidcan be used to show and monitor various con- figuration settings. It has a syntax similar to Cisco’s IOS command shell, and offers the tabbed command completion and the command display present in most modern UNIX shells (see Figure 4.4).
Figure 4.3Package Management Through the Lynx Interface
Figure 4.4Output of Common Shell Commands
IPSO is based on UNIX and boots into a standard C-shell (csh) (see Figure 4.5).
Configuration files do not normally persist across system reboots or across changes made with Voyager. However, there are ways to use the standard tools to make per- manent changes.
Figure 4.5Output of Common Shell Commands
Most models offer Virtual Router Redundancy Protocol (VRRP), which
enables implementation of hot-standby firewall appliances in a way that is transparent to host systems. Hosts can utilize a hot-standby firewall appliance if the primary appliance fails without any direct host involvement. Combining VRRP with Check Point Firewall Sync (i.e., a technology that replicates the configuration parameters between devices), Nokia firewall appliances can be deployed in configurations that support integrated, redundant, hot-standby routing and firewall services.
The Nokia Horizon Manager reduces the time spent manually installing and upgrading software and applications, by managing multiple IP network security appliances and their IPSO OS settings. It allows you to stage new appliance rollouts according to enterprise standards with consistent configuration changes across the network.
Network managers can access Nokia Horizon Manager, with its remote secure GUI client, to implement configuration changes across multiple Nokia IP security platforms. In addition, management tools such as configuration templates can be edited and stored to form a set of common, standardized configurations. A task scheduler feature also increases operational efficiency by implementing best-practice security management such as system backups, upgrades, and password changes.
The Appliance Manager is a software-based management solution that enables centralized scalable monitoring, fault management, and reporting for multiple Nokia Security appliances and applications.The real-time and historical monitoring and reporting on inventory, network traffic, faults, and security events provides key infor-
mation for security appliance maintenance, capacity planning, and audit and device lifecycle management.
Nokia Models
All of the models are standardized on the common Web interface called Voyager, through which you can remotely administer and configure almost any aspect of the OS or firewall, as well as a CLI. Serial console access is standard.The NSP consists of 12 different hardware models, all part of the IP series. All models offer various addi- tional software packages to add such features as VPN, intrusion detection, and virus scanning. As the model numbers increase, the performance and throughput increase.
For full and current specifications on these appliances reference www.nokiausa.com/
business/security/product/1,8193,pid:fw_vpn_app%7Ctab:0,00.html. Given the number of models and similarities between models, it would be wise to use Nokia’s Platform Recommendation Tool available at www.nokia-platformtool.com/scripts/main.html.
Below are some examples of the myriad of models available:
■ Nokia IP45 The Nokia IP45 firewall appliance is the optimal remote connectivity and perimeter security solution for enterprise remote office branch office (ROBO), work extenders, and small- and medium-size busi- ness that need robust VPN connectivity.This appliance combines Check Point firewall software with a purpose-built, Nokia-designed hardware plat- form.The desktop-sized firewall appliance offers high reliability with no moving parts, out-of-the-box deployment (pre-licensed and pre-config- ured), multiple connection types, and ease-of-maintenance (including auto- matic upgrading of firewall/VPN appliances) without network downtime.
Four models are available with 8, 16, 32, and unlimited nodes.
■ Nokia IP350 and IP355 The Nokia IP350 and Nokia IP355 deliver per- formance for real-world mixed-traffic environments, and offer high-port density in a 1RU system.They are designed for small- to mid-sized enter- prise customers or small, standalone companies.
Key features available with Nokia IP350 and Nokia IP355 include on- board encryption, large routing tables, highly reliable flash-based storage (Nokia IP355) or disk-based storage on the IP350, maximum expansion capacity with up to ten 10/100 Ethernet ports, synched firewalls in HA environments, and the hardened Nokia IPSO OS with its Web and CLI interface. Nokia IPSO includes Nokia IP clustering, and supports a wide array of protocols, such as the remote authentication protocols
Authentication Dial-In User Server (RADIUS) Client/Server and Terminal Access Controller Access Control System (TACACS+) Client.The IP350
ships with 256MB RAM and the IP355 has 1GB RAM. Both have two Type II PCMCIA slots and an encryption accelerator.
■ Nokia IP1220 The Nokia IP1220 supports the traffic requirements pre- sent in large business and service provider networks with a high-speed encryption accelerator card and up to 2GB of RAM. Its redundant hard- ware capabilities include hot swap interface cards, optional mirrored hot swap capable hard disks, and an optional load-sharing power supply and fan. VRRP and Nokia IP Clustering support additional redundancy.
With its expansion capacity in a 3 Unit (3U) form factor, the IP1220 can service a multitude of network segments for a large and growing net- work infrastructure with up to 20 10/100 Ethernet or four 10/100 Ethernet and eight 1000 Gigabit Ethernet (GigE) connections in a variety of customer-selected configurations.
Like most Nokia Firewall/VPN appliances, the IP1220 offers the option of either disk- or flash-based storage configurations. Additionally, it can be configured with hybrid (flash and compact disk) local storage.The hybrid configuration uses flash storage for Nokia IPSO and the Check Point enforcement module, and local disk for management and logging.
Nokia IP1220 features Nokia IPSO™, a secure OS with Web or CLI, as well as support from Nokia Horizon Manager, which provides secure robust system management, version control, and backup and restore.
■ Nokia IP2250 The Nokia IP2255 is the top level of the Nokia firewall line and is designed specifically for the demanding performance and port- density requirements of carriers, service providers, e-commerce sites, and enterprise data center cores. It is a 3U form factor, flash-based security appliance providing in excess of 8 Gbps of performance with up to 20 Gbs Ethernet interfaces or up to 36 10/100 Ethernet interfaces for the Check Point VPN-1 Power application. Harnessing the power of two network processors and Nokia Accelerated Data Path (ADP) software acceleration technology, the Nokia IP2255 running Check Point VPN-1 Power pro- vides up to 8.9 Gbps of firewall throughput with 87,000 firewall connec- tions per second 2.3 Gbps of AES256 encrypted VPN throughput.
The Check Point SMART Management framework simplifies complex policy definition and deployment. Nokia Network Voyager and Cluster Voyager provide complete local and remote WebUI appliance management, and Nokia Horizon Manager and Nokia Appliance Manager provide