Disclaimer: All equipment photos are provided courtesy of Nokia and are intended for informational purposes only. Their use does not in any way constitute endorsement, partnering or any other type of involvement on the part of Nokia. Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc. “Syngress: The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. Unique Passcode 99385426 PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 Nokia Firewall, VPN, and IPSO Configuration Guide Copyright © 2009 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN 13: 978-1-59749-286-7 Publisher: Laura Colantoni Page Layout and Art: SPI Acquisitions Editor: Andrew Williams Copy Editor: Michael McGee Developmental Editor: Matthew Cater Indexer: SPI Technical Editor: Warren Verbanec Cover Designer: Michael Kavish Project Manager: Andre Cuello For information on rights, translations, and bulk sales, contact Matt Pedersen, Senior Sales Manager, Corporate Sales, at Syngress Publishing; email [email protected]. Library of Congress Cataloging-in-Publication Data Hay, Andrew, 1973- Nokia firewall, VPN, and IPSO configuration guide / Andrew Hay, Peter Giannoulis, Keli Hay. p. cm. ISBN 978-1-59749-286-7 1. Wireless Internet--Computer programs. 2. Nokia smartphones. 3. Extranets (Computer networks) 4. Firewalls (Computer security) 5. Software configuration management. I. Giannoulis, Peter. II. Hay, Keli. III. Title. TK5103.4885.H39 2009 005.1--dc22 2008044578 Authors Andrew Hay is a recognized security expert, thought leader, presenter, and author. As the Integration Services Product and Program Manager at Q1 Labs Inc. his primary responsibility involves the research and integration of log and vulnerability technologies into QRadar, their flagship network security management solution. Prior to joining Q1 Labs, Andrew was CEO and co-founder of Koteas Corporation, a leading provider of end-to-end security and privacy solutions for government and enterprise. His resume also includes various roles and responsibilities at Nokia Enterprise Solutions, Nortel Networks, and Magma Communications, a division of Primus. Andrew is a strong advocate of security training, certification programs, and public awareness initiatives. He also holds several industry certifications including the CCNA, CCSA, CCSE, CCSE NGX, CCSE Plus, SSP-MPA, SSP-CNSA, NSA, RHCT, RHCE, Security+, GSEC, GCIA, GCIH, and CISSP. Andrew would first like to thank his wife Keli for her support, guidance, and unlimited understanding when it comes to his interests. He would also like to thank Dameon D. Welch-Abernathy (a.k.a. Phoneboy), Peter Giannoulis, Michael Santarcangelo, Michael Farnum, Martin McKeay, Lori MacVittie, Jennifer Jabbusch, Michael Ramm, Anton Chuvakin, Max Schubert, Andy Willingham, Jennifer Leggio, Ben Jackson, Jack Daniel, Kees Leune, Christofer Hoff, Kevin Riggins, Dave Lewis, Daniel Cid, Rory Bray, George Hanna, Chris Cahill, Ed Isaacs, Mike Tander, Kevin Charles, Stephane Drapeau, Jason Ingram, Tim Hersey, Jason Wentzell, Eric Malenfant, Al Mcgale, Sean Murray-Ford, the Trusted Catalyst Community, his past coworkers at Nokia, his current coworkers at Q1 Labs, the folks at PerkettPR, and of course his parents, Michel and Ellen Hay, and in-laws Rick and Marilyn Litle for their continued support. Peter Giannoulis is an information security consultant in Toronto, Ontario. Over the last 10 years Peter has been involved in the design and implementation of client defenses using many different security technologies. He is also skilled in vulnerability and penetration testing, having taken part in hundreds of assessments. Peter has been involved with SANS and GIAC for quite some time as an Instructor, Authorized Grader for the GSEC certification, courseware author, exam developer, Advisory Board member, and is currently a Technical Director for the GIAC family v of certifications. He currently maintains the first information security streaming video website (www.theacademy.ca), which assists organizations in implementing and troubleshooting some of the most popular security products. Peter’s current certifications include: GSEC, GCIH, GCIA, GCFA, GCFW, GREM, GSNA, CISSP, CCSI, INFOSEC, CCSP, & MCSE. Keli Hay is a certified professional instructor through Freisen, Kaye and Associates, with over 15 years experience in IT. She also has a diploma in Business Administration with a major in Information Systems. Keli is currently working as an Instructional Designer, primarily for a large, global IT client, and is based in Fredericton, New Brunswick, Canada. In other roles, Keli has provided technical support and training for company specific and third party products, provisioned client services, provided customer service, and audited IT services. Keli’s employers include PulseLearning Inc., Computer Sciences Corporation (CSC), Nortel, and Magma Communications, a division of Primus. Keli also acted as a technical editor consultant on the OSSEC Host-Based Intrusion Detection Guide. She enjoys learning and writing about and helping to train people on different products. Keli would like to thank Andrew for his support, guidance, expertise, sense of humor, and wisdom – we have shared lots of experiences and grown together. She would also like to thank her parents (Richard and Marilyn Litle) for their support, guidance, and lots of advice over the years. vi Technical Editor Warren Verbanec is a Silicon Valley native who first loaded Zaxxon from tape in 1982. He was a member of Nokia’s Product Line Support group for several years, wrote Nokia’s technical security courseware, and continues to consult for Nokia on various subjects. He holds a variety of industry certifications and holds a Bachelor of Science degree from the University of California. vii Foreword Contributor Dameon D. Welch-Abernathy, CISSP, a.k.a. “PhoneBoy,” has provided aid and assistance to countless IT professionals since 1996. Best known as the author of two books on Check Point VPN-1/FireWall-1 as well as creator of a well-visited FAQ site on the Check Point products, Welch- Abernathy currently works in the Security Product Line Support team in Nokia’s Software and Services division. In addition to assisting customers with Nokia’s line of network security products, he is Editor in Chief of the Support Knowledge Base on the Nokia Support Web. viii Foreword Back when I started working with Check Point in 1996, the marketplace for firewalls was different. The market was still being educated on what firewalls were and what value they provide. Corporate firewalls typically ran on general-purpose computers with multiple network interfaces. The operating systems had to be “hardened” by administrators to ensure they did not run unnecessary services that could be used to compromise—or degrade—the firewall operation. While Check Point still runs—and is supported—on general-purpose platforms running Solaris and Windows, a number of purpose-built platforms run Check Point software. The hard work of selecting individual components for the firewall platform and securing the underlying operating system is a thing of the past. The underlying operating system comes presecured, and the interface cards are known to work. You also get the benefit of a single source for support of the entire solution. While a number of companies provide these platforms: Resilience, Crossbeam, and even Check Point themselves are selling their own hardware—many customers choose to run Check Point on Nokia security platforms. It’s one of the most popular ways to run Check Point today. My history with Nokia starts in 1999, when I was hired to work in their support organization. I brought the knowledge I had accumulated on the Check Point FAQ site I had on phoneboy.com and put it to use within Nokia. A lot of goodness from my own site made its way into Nokia’s support knowledge base, where some of the old phoneboy.com content is still used today. While I stopped actively supporting Check Point on Nokia in 2004, and turned over the Check Point content on phoneboy.com to cpug.org around that time, I can’t entirely get away from Check Point. I still work for the same part of the company I started with, and xix xx Foreword I have a lot of history with the product. I also read and approve the knowledgebase articles other people write on the Nokia solution, which show up in Nokia Support Web, our customer portal. Having put out a couple of Check Point books myself, I know first-hand how difficult it was for Andrew, Keli, and Peter to put this book together. They’ve got a good book here. It should put you well on your way to getting your Nokia firewalls deployed in your network. —Dameon D. Welch-Abernathy A.K.A. PhoneBoy July 2008 Chapter 1 Nokia Security Solutions Overview Solutions in this chapter: Introducing Nokia IPSO ■ Introducing Nokia ■ Firewall/VPN and UTM Appliances Introducing Additional ■ Nokia Security Solutions ˛ Summary ˛ Solutions Fast Track ˛ Frequently Asked Questions 1 2 Chapter 1 • Nokia Security Solutions Overview Introduction “Our aging Linux firewalls just aren’t cutting it anymore, Simran,” said Marty Feldman, Director of Information Security. Simran Sing, the CISO at one of North America’s premiere defense companies, knew to take Marty at his word. “All right, what are our options?” “Well that depends.” smiled Marty. “Do I have the budget for a complete overhaul? I’d like to rip these things out at the perimeter and place a trusted enterprise solution in their place.” Simran opened up her budget spreadsheet. “Well, Marty, we’ve got some money left for this year, but you’re going to have to really convince me that the solution you select is going to give us some return on investment.” Marty smiled. “Is ROI all you care about now? I remember when you used to be all about the cool factor.” Simran laughed. “As the CISO, I really don’t have that luxury anymore, Marty. We have to pick a solution that will ensure we don’t lose money due to a breach.” Marty flipped through the stack of papers he always carried with him. “What about those Nokia IP Security Appliances? I was speaking to the local account manager last week and it sounds like they have a really good offering.” Simran looked down at her desk where her Nokia mobile phone sat. “I thought Nokia only dealt in mobile phones and mobile connectivity solutions?” Marty held up a printout of a whitepaper on Nokia Security Solutions that had several images of the Nokia security platforms. “Nope.” Said Marty, “They’ve been making firewall platforms for years. Plus, they’re running on a hardened operating system that’s been stripped down for performance and to run the Check Point firewall software application.” Marty smiled. “You have heard of Check Point haven’t you, boss?” Simran frowned. “Don’t forget, I’m still a geek at heart, Marty. Also, don’t forget that I did your job for several years before I put you into my role.” Simran flashed a sarcastic smile. “I brought you into this job; I can take you out of it.” Marty laughed. “Yes, boss, I remember.” Marty left Simran’s office and headed back to his desk. He started scouring the Internet for any and all information about the Nokia Security Solutions offerings he could find. He watched several Webinars, read numerous technical documents, and even checked out several message boards where people were posting questions about issues they were having with their Nokia appliances and configurations. After performing his due diligence, Marty picked up the phone and called the local Nokia account manager he had spoken with the previous week. “Josh, Marty Feldman here. I was wondering if you’d be able to drop by sometime this week to tell me more about the Nokia Security Solutions portfolio…” When people hear the name Nokia they immediately think cellular (mobile) telephones. What most people do not know is that Nokia is also a leader in network security solutions and