The first step in building your firewall is selecting the operating system on which the application will run. With FireWall-1, you have several options:
Windows NT/2000 Server
Sun Solaris (SPARC)
Nokia IP Security Platform (IPSO)
Linux and Secure Platform (SPLAT)
Each operating system has its advantages and disadvantages. Some of the advantages and disadvantages are listed in the sections that follow, where each operating system is discussed. However, no one operating system is best for every environment. The single most important criteria for choosing an operating system should be the skill set of your administrators. Whichever operating system you select, make sure your security staff is knowledgeable in that particular operating system. Even if you select the best operating system in the world, you will have problems if you lack the skilled personnel to build and maintain it. Your firewall will not be as secure or as stable as it should be without a properly configured operating system.
The following subsections discuss the various operating systems on which FireWall-1 will run.
The assumption in this subsection is that Windows NT 4.0 Server or Windows 2000 Server/Advanced Server will be used. Check Point supports FireWall-1 only on Windows NT Server or Windows 2000 Server/Advanced Server. Windows NT Workstation and Windows 2000 Professional can be used in test environments, but they are not recommended in a production environment because Microsoft has limited each product to ten concurrent connections and doesn't support advanced routing capabilities. Windows NT Server and Windows 2000 Server/Advanced Server also include additional capabilities not present in Windows NT Workstation, such as mirrored drives. In this text, comments regarding Windows NT also apply to Windows 2000 unless otherwise specified.
You might wonder why I mention Windows NT at all, considering that Microsoft has declared it will no longer support Windows NT after the end of 2003. The fact is that a lot of people still use Windows NT. Not for firewalls, necessarily, but it is still in use and will probably still be in use long after Microsoft has decided to stop supporting it.
Some of the advantages of using Windows NT Server and Windows 2000 Server/Advanced Server include the following.
Ease of use: Windows has a GUI interface that many people are familiar with. This makes installation and maintenance of the operating system and firewall more user-friendly.
Widely used: Windows is widely deployed. Windows 2000 is a popular choice for FireWall-1 installations these days, and Windows NT was historically a popular choice. There is plenty of documentation on both Windows NT/2000 and FireWall-1 on Windows NT/2000.
Lots of third-party software: If FireWall-1 does not provide a particular function, it's likely that a third-party application does.
Some of the disadvantages of using Windows NT Server and Windows 2000 Server/Advanced Server include the following.
Remote administration: Compared to UNIX, Windows is more difficult to remotely administer because most administration tasks can be performed only with a GUI. This can be mitigated somewhat by installing third-party software such as Terminal Server or VNC, but these may introduce additional security issues. Even with these tools, the most essential remote administration tool ends up being a car.
Command-line access: Windows lacks a powerful command-line interface. This makes advanced troubleshooting more difficult for both the operating system and the firewall software. Many of the advanced troubleshooting methods covered in this book are more difficult to perform on Windows than on other platforms.
The original versions of FireWall-1 ran on SunOS and Solaris. Needless to say, Solaris is well supported both in terms of FireWall-1 and in terms of third-party applications.
Note that I am differentiating here between SPARC Solaris, which runs on SPARC processors, and Solaris x86, which runs on Intel-based hardware. The latter used to run FireWall-1, but Check Point currently does not support FireWall-1 on Solaris x86.
The advantages of using SPARC Solaris include the following.
Widely used: Solaris is widely used and is a popular choice for FireWall-1 installations. There is plenty of documentation on both Solaris and FireWall-1 on Solaris.
Primary development platform for Check Point: The majority of Check Point's development work occurs on Solaris.
Command-line access: UNIX systems have a strong command-line interface. This makes troubleshooting both the operating system and the firewall application easier, especially by remote.
High-end hardware support: Solaris tends to support high-end hardware including lots of memory and large disk drives. This means Solaris is a very scalable platform.
Third-party software: Although not as big of an advantage as on Windows, many applications you may need to use in conjunction with FireWall-1 will also run on Solaris.
The disadvantages of using SPARC Solaris include the following.
Training: Solaris, like most flavors of UNIX, requires more skill and training. It takes an experienced administrator to optimize the operating system. Not only can good Solaris administrators be difficult to find, but they may also cost more.
Policy Editor costs: Policy Editor requires extra costs to deploy on Solaris. You are better off running Policy Editor from a Windows platform and connecting to a management console, which can run on any platform.
IBM makes a version of UNIX, called AIX, on which FireWall-1 can run.
Some of the advantages of using AIX include the following.
Command-line access: UNIX systems have a strong command-line interface. As mentioned above, this makes troubleshooting both the operating system and the firewall application easier, especially by remote.
High-end hardware support: AIX tends to support high-end hardware including lots of memory and large disk drives. This means AIX is scalable.
Some of the disadvantages of using AIX include the following.
Deployment and resources: Compared to Solaris, AIX is not as widely deployed. As such, good information on AIX is harder to find, not to mention the lack of information on using either of these operating systems with FireWall-1.
Not a first-tier operating system: New FireWall-1 features do not appear on AIX right away. In fact, they often appear on AIX last because the vast majority of users choose other platforms. In December 2002, NG was available only as a beta, and it was Feature Pack 1 at that (FP3 was shipping at that time). NG with Application Intelligence (NG AI) is now available on AIX.
Training: Similar to Solaris, AIX requires more training to administer. Good AIX administrators can be difficult to find and may also cost more.
Third-party software: Due to the small installed base of FireWall-1 on this platform, vendors may not release versions of their software for either operating system. If they do, it is almost always after Windows and Solaris versions are released.
The Nokia IP Security Platforms (IPxxx) are platforms specifically designed to run specialized applications, such as FireWall-1. The operating system that runs on this hardware is a modified version of FreeBSD called IPSO. IPSO began life as an ATM switching operating system at a company called Ipsilon Networks. In fact, IPSO used to stand for IP Switching Operating system. Nokia acquired Ipsilon Networks in 1998. The terms Nokia platform and IPSO are used interchangeably throughout this text.
 The Nokia IP30 and IP40 platforms use a Linux-based operating system and use VPN-1 Embedded NG. The IP40 has a command-line interface very similar to what you would find on other Nokia platforms. The IP71 is also based on Linux but is no longer sold. The Nokia IP51 and IP55 are based on VxWorks and are also no longer sold.
Some advantages of using IPSO include the following.
Ease of use: Configuration of the operating system is performed with a standard Web browser.
Command-line access: Although much of the configuration is done with a standard Web browser, a standard UNIX command line is available to perform troubleshooting and monitoring?where I feel the use of the command line is most important. IPSO 3.6 also introduced a supported configuration command-line interface as well.
Hardened operating system: Most of what is considered insecure has been removed from the operating system or is relatively easy to disable in Voyager, the Web-based interface for configuring IPSO.
Widely used: Among hardware vendors that sell prepackaged solutions with FireWall-1 installed, Nokia sells more boxes than anyone else. In fact, in 2003, Check Point derived more than 40% of its revenue from sales on Nokia platforms.
More thoroughly tested product: Both Nokia and Check Point test the operating system, firewall, and hardware together for quality assurance.
Easier to upgrade: The operating system and applications on IPSO are designed to be relatively easy to upgrade or downgrade as needed.
Rack-mountable: Most Nokia application platforms are rack-mountable and are suitable for use in a secured machine room. The IP100 series platforms are wall-mountable.
Easy to manage: In addition to the easy-to-service hardware design, the operating system can be centrally managed with a product called Network Horizon Manager. This is a boon for companies with a large number of IP Security Platforms to manage.
Support: A single vendor provides support for both FireWall-1 and IPSO. In addition, Nokia's Technical Assistance Centers have achieved Support Center Practices certification.
Some disadvantages of using IPSO include the following.
Customization: What you gain in terms of a good user experience, you lose in terms of the ability to customize the box. Some consider the lack of customization a good thing; others do not. Nokia does have a Software Development Kit (SDK) and a Developers Alliance. However, these items are not free.
Cost: Nokia platforms have a higher acquisition cost than similar hardware and software combinations from other vendors. In addition, Nokia support agreements tend to be more expensive than other hardware and software options.
Command-line access: IPSO 3.6 and later provide a command-line interface through which you can make configuration changes, but it is nonstandard, at least with respect to how most UNIX systems operate.
Third-party applications: Few third-party applications run on IPSO. Nokia is increasing the number of vendors that run applications on the platform, but certainly not at the rate that applications are being made available on other UNIX platforms.
Linux is a UNIX-like operating system made available under the GNU Public License (GPL), meaning that you have free access to the source code and can make any modifications you like. Many Linux distributions, such as Red Hat, are similar to Solaris in administration. Most UNIX administrators can easily convert to a Linux environment.
 The Linux kernel itself is under the GPL; various other programs included with most Linux distributions are either GPL or other similar open-source licenses.
Due, in part, to its popularity and cost, Check Point has released what is referred to as the "Black CD," a.k.a. Secure Platform or SPLAT. It is basically a stripped-down version of Red Hat Linux with FireWall-1 preloaded on it. The idea is this: Take a totally blank system with supported hardware, load this CD, and you have a firewall that's ready to go. There are a number of OPSEC Platform vendors that sell packaged hardware that can either sit on the desktop or be rack-mounted similar to a Nokia platform.
For the purposes of this comparison, Linux and Secure Platform are treated the same way. There are some differences, which are highlighted below.
The advantages of using Linux and Secure Platform include the following.
UNIX features: Linux shares the same advantages of most versions of UNIX?strong remote management and a command-line interface.
Lower cost of acquisition: Because you do not have to pay nearly as much for the operating system (it can be free!) and can use commodity PC hardware for your system, the overall cost of acquisition is less.
Ease of installation: If you use Secure Platform, Check Point has done all the work of hardening the operating system for you. Just plug in the CD and go!
Performance: At least in many performance tests commissioned by Check Point, Linux platforms perform better than other, similarly configured platforms.
Support: When using SPLAT, the operating system and firewall are supported by a single vendor.
Open source: You get not only the operating system free of charge but also the source code.
The disadvantages of using Linux include the following.
Distribution specific: FireWall-1 is supported only on Red Hat Linux using specific versions of the kernel. The exact versions supported depend on what version of FireWall-1 you are using. A few folks have made it work on other versions of Red Hat and even other distributions like Mandrake, SuSE, and Debian. I have run an NG FP3 management station on Debian, though management stations aren't as sensitive to kernel versions as firewall modules are.
Customization: Any customization (i.e., adding software packages) done on Secure Platform makes the operating system component entirely unsupported by Check Point.
Limited interface support: Not every type of interface is supported. Ethernet and various types of PPP interfaces appear to be supported. In Secure Platform, getting a device driver for a nonsupported device working with the operating system is difficult. If Secure Platform does not recognize your hardware out of the box, you are better off installing the appropriate version of Red Hat Linux instead.
Not easily upgradable: The reliance on specific kernel versions makes it difficult to upgrade the kernel with a security patch yet still have that kernel work with the FireWall-1 kernel loadable module. The "upgrade" from NG FP2 Secure Platform to NG FP3 Secure Platform required a complete reinstall, thus it really wasn't an upgrade. Check Point is supposedly improving this.
Secure Platform missing key functionality: I've seen numerous complaints in public forums that Check Point stripped out too much stuff from Red Hat for Secure Platform to be entirely usable. For instance, Check Point did not include a Secure Shell (SSH) daemon, which is standard on Solaris, IPSO, and even Red Hat Linux. Later versions of Secure Platform appear to have more packages, including the routing daemon Zebra in NG AI.