Check Point IPSO
Check Point IPSO is the operating system for the 'Check Point firewall' appliance and other security devices, based on FreeBSD, with numerous hardening features applied.[1]
The IP in IPSO refers to Ipsilon Networks, a company specialising in IP switching acquired by Nokia in 1997.[2]
In 2009, Check Point acquired the Nokia security appliance business, including IPSO, from Nokia.[3]
Variations
IPSO, now at version 6.2, is a fork of FreeBSD 6. There were two other systems, called IPSO-SX and IPSO-LX, that were Linux-based:
- IPSO SX was Nokia's first release of a Linux-based IPSO, and was deployed in 2002 on the now-defunct Message Protector,[4] and briefly thereafter on a short-lived appliance version of the "Nokia Access Mobilizer", acquired from Eizel. It had a partitioning scheme somewhat reminiscent of IPSO SB, a LILO configuration and boot manager also somewhat inspired by IPSO SB, and a software package installer that made RPM packaging look more familiar to a Nokia IPSO administrator. It did not, however, include a full configuration database or Voyager web interface, the two things that normally define IPSO.
- IPSO LX is a nearly vanilla Gentoo-based Linux OS,[5] and is used on Nokia appliances sold with Sourcefire 3D. It includes a full Voyager and database implementation—in fact, the Voyager look and feel in IPSO SB 4.0 onwards was based on that implemented for IPSO LX.
Check Point offers three lines of security appliances - one based on IPSO 6.x, one based on an operating system called SecurePlatform and the latest based on Gaia platform (RHEL4 based).
Features
IPSO notable features or firsts include:
- Effective firewall load-balancing (in conjunction with Check Point sychronization), derived from Network Alchemy clustering technology, predating and still independently developed from Check Points ClusterXL.
- The first commercial IPv6 router out of beta-testing (ahead of Cisco and Juniper Networks)
- Firewall Flows for putting Check Point security rule implementation into the dedicated network processor circuitry on-the-fly (though this is now largely evolved into Check Point's SecureXL)
Versions
IPSO SB was originally derived by Ipsilon Networks from FreeBSD 2.1-STABLE and cross-compiled on FreeBSD 2.2.6-RELEASE and 3.5-RELEASE platforms. Its major components are:
- A configuration database held in memory by the "xpand" daemon, that creates legacy UNIX configuration in /etc on-the-fly.
- A partitioning scheme which places a mini-IPSO in a separate boot manager partition for recovery
- A partition-slicing scheme which segregates read-only and read-write content
- A software packaging scheme which requires all packages to remain in a single location under /opt
- A web interface, Voyager, which was closely integrated with the configuration database. (It has now diverged somewhat.)
IPSO versions up to 2.x were sold by Ipsilon Networks as part of the ATM tag-switching solutions that they originally pioneered. IPSO 3.0 onwards were designed to host Check Point FireWall-1 and other third party packages.
IPSO 3.0 to 3.9 spanned from 1999 to 2005 and, while adding many features and significant performance and hardware refinements, were recognizably the same to the administrator.
IPSO 4.0 was not designed as a major update and was internally numbered as IPSO 3.10. However, Check Point software was unable to process a two-digit dot version, and it also included a refresh of the Voyager HTML interface. Up to that point, JavaScript and frames had been avoided in order to facilitate the use of Lynx as a command line interface. These together resulted in it being renumbered as 4.0. IPSO 4.1 and IPSO 4.2 are incremental releases. IPSO 4.2 will gain source-based routing as its last scheduled new feature. All new development will continue on IPSO 6.x.
IPSO 5.0 build 056 was released in 2009 for VSX R65 support on IP Appliance.
IPSO 6.0 was announced by Nokia in relation to the IP2450 and IP690 hardware. It is based on FreeBSD 6.x. Its primary advantage over IPSO 4.x are improved memory management, performance, scheduling, threading, POSIX-compliance, and other operating system features. IPSO 6.0.7 was released in 2009 for IP690 and IP2450 with CoreXL (multi-core) support. IPSO 6.1 contains other enhancements from FreeBSD 6.x but without CoreXL support. Because of the step change, Nokia advsertised that IPSO 4.2, 6.07 and 6.1 will run alongside each other for a period of time. When Check Point acquired Nokia IP appliance business, 6.07 and 6.1 development branches were merged and combined to 6.2.
Most recent version is IPSO 6.2MR5, released in September 2015.[6]
For a while, Nokia offered IPSO 7, which was actually IPSO LX. It was discontinued after 7.2, in 2008.
After acquiring the Nokia IP appliance business, Check Point announced project Gaia to combine both IPSO and Secure Platform. The first release is expected in 2011.[7]
References
- ↑ "Archived copy". Archived from the original on 13 March 2006. Retrieved 2007-04-15.
- ↑ "Archived copy". Archived from the original on 23 March 2006. Retrieved 2007-04-15.
- ↑ "Archived copy". Archived from the original on 1 June 2009. Retrieved 2009-06-02.
- ↑ http://www.nokia.com/A4136001?newsid=880176
- ↑ http://www.secinfo.com/dsvRq.uu2.a.htm
- ↑ https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=44605
- ↑ "Check Point Project Gaia".