Check Point IPSO

Last updated July 27, 2023

Check Point IPSO is the operating system for the 'Check Point firewall' appliance and other security devices, based on FreeBSD, with numerous hardening features applied.^[1]

Variations

IPSO, now at version 6.2, is a fork of FreeBSD 6. There were two other systems, called IPSO-SX and IPSO-LX, that were Linux-based:

IPSO SX was Nokia's first release of a Linux-based IPSO, and was deployed in 2002 on the now-defunct Message Protector,^[4] and briefly thereafter on a short-lived appliance version of the "Nokia Access Mobilizer", acquired from Eizel. It had a partitioning scheme somewhat reminiscent of IPSO SB, a LILO configuration and boot manager also somewhat inspired by IPSO SB, and a software package installer that made RPM packaging look more familiar to a Nokia IPSO administrator. It did not, however, include a full configuration database or Voyager web interface, the two things that normally define IPSO.
IPSO LX is a nearly vanilla Gentoo-based Linux OS,^[5] and is used on Nokia appliances sold with Sourcefire 3D. It includes a full Voyager and database implementation—in fact, the Voyager look and feel in IPSO SB 4.0 onwards was based on that implemented for IPSO LX.

Check Point offers three lines of security appliances – one based on IPSO 6.x, one based on an operating system called SecurePlatform and the latest based on Gaia platform (RHEL4 based).

Features

IPSO notable features or firsts include:

Effective firewall load-balancing (in conjunction with Check Point synchronization), derived from Network Alchemy clustering technology, predating and still independently developed from Check Points ClusterXL.
The first commercial IPv6 router out of beta-testing (ahead of Cisco and Juniper Networks)
Firewall Flows for putting Check Point security rule implementation into the dedicated network processor circuitry on-the-fly (though this is now largely evolved into Check Point's SecureXL)

Versions

IPSO SB was originally derived by Ipsilon Networks from FreeBSD 2.1-STABLE and cross-compiled on FreeBSD 2.2.6-RELEASE and 3.5-RELEASE platforms. Its major components are:

A configuration database held in memory by the "xpand" daemon, that creates legacy UNIX configuration in /etc on-the-fly.
A partitioning scheme which places a mini-IPSO in a separate boot manager partition for recovery
A partition-slicing scheme which segregates read-only and read-write content
A software packaging scheme which requires all packages to remain in a single location under /opt
A web interface, Voyager, which was closely integrated with the configuration database. (It has now diverged somewhat.)

Ipsilon Networks sold IPSO versions up to 2.x as part of the ATM tag-switching solutions that they originally pioneered. IPSO 3.0 onwards were designed to host Check Point FireWall-1 and other third party packages.

IPSO 3.0 to 3.9 spanned from 1999 to 2005 and, while adding many features and significant performance and hardware refinements, were recognizably the same to the administrator.

IPSO 4.0 was not designed as a major update and was internally numbered as IPSO 3.10. However, Check Point software could not process a two-digit dot version, and it also included a refresh of the Voyager HTML interface. Up to that point, JavaScript and frames had been avoided in order to facilitate the use of Lynx as a command line interface. These together resulted in it being renumbered as 4.0. IPSO 4.1 and IPSO 4.2 are incremental releases. IPSO 4.2 will gain source-based routing as its last scheduled new feature. All new development will continue on IPSO 6.x.

IPSO 5.0 build 056 was released in 2009 for VSX R65 support on IP Appliance.

Nokia announced IPSO 6.0 in relation to the IP2450 and IP690 hardware. It is based on FreeBSD 6.x. Its primary advantage over IPSO 4.x are improved memory management, performance, scheduling, threading, POSIX-compliance, and other operating system features. IPSO 6.0.7 was released in 2009 for IP690 and IP2450 with CoreXL (multi-core) support. IPSO 6.1 contains other enhancements from FreeBSD 6.x but without CoreXL support. Because of the step change, Nokia advertised that IPSO 4.2, 6.07 and 6.1 will run alongside each other for a period of time. When Check Point acquired Nokia IP appliance business, 6.07 and 6.1 development branches were merged and combined to 6.2.

Most recent version is IPSO 6.2MR6, released in February 2017.^[6]

For a while, Nokia offered IPSO 7, which was actually IPSO LX. It was discontinued after 7.2, in 2008.

After acquiring the Nokia IP appliance business, Check Point announced project Gaia to combine both IPSO and Secure Platform. The first release is expected in 2011.^[7]

Related Research Articles

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

m0n0wall was an embedded firewall distribution of FreeBSD, one of the BSD operating system descendants. It provides a small image which can be put on Compact Flash cards as well as on CD-ROMs and hard disks. It runs on a number of embedded platforms and generic PCs. The PC version can be run with just a Live CD and a floppy disk to store configuration data, or on a single Compact Flash card. This eliminates the need for a hard drive, which reduces noise and heat levels and decreases the risk of system failure through elimination of moving parts found in older hard drives.

Asterisk is a software implementation of a private branch exchange (PBX). In conjunction with suitable telephony hardware interfaces and network applications, Asterisk is used to establish and control telephone calls between telecommunication endpoints, such as customary telephone sets, destinations on the public switched telephone network (PSTN), and devices or services on voice over Internet Protocol (VoIP) networks. Its name comes from the asterisk (*) symbol for a signal used in dual-tone multi-frequency (DTMF) dialing.

<span class="mw-page-title-main">Application firewall</span> Layer 7/application layer network security system

An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The application firewall can control communications up to the application layer of the OSI model, which is the highest operating layer, and where it gets its name. The two primary categories of application firewalls are network-based and host-based.

ifconfig is a system administration utility in Unix-like operating systems for network interface configuration.

The Common Address Redundancy Protocol or CARP is a computer networking protocol which allows multiple hosts on the same local area network to share a set of IP addresses. Its primary purpose is to provide failover redundancy, especially when used with firewalls and routers. In some configurations, CARP can also provide load balancing functionality. CARP provides functionality similar to Virtual Router Redundancy Protocol (VRRP) and to Cisco Systems' Hot Standby Router Protocol (HSRP). It is implemented in several BSD-based operating systems and has been ported to Linux (ucarp).

Check Point is an American-Israeli multinational provider of software and combined hardware and software products for IT security, including network security, endpoint security, cloud security, mobile security, data security and security management.

The jail mechanism is an implementation of FreeBSD's OS-level virtualisation that allows system administrators to partition a FreeBSD-derived computer system into several independent mini-systems called jails, all sharing the same kernel, with very little overhead. It is implemented through a system call, jail(2), as well as a userland utility, jail(8), plus, depending on the system, a number of other utilities. The functionality was committed into FreeBSD in 1999 by Poul-Henning Kamp after some period of production use by a hosting provider, and was first released with FreeBSD 4.0, thus being supported on a number of FreeBSD descendants, including DragonFly BSD, to this day.

OS-level virtualization is an operating system (OS) paradigm in which the kernel allows the existence of multiple isolated user space instances, called containers, zones, virtual private servers (OpenVZ), partitions, virtual environments (VEs), virtual kernels, or jails. Such instances may look like real computers from the point of view of programs running in them. A computer program running on an ordinary operating system can see all resources of that computer. However, programs running inside of a container can only see the container's contents and devices assigned to the container.

VPN-1 is a firewall and VPN product developed by Check Point Software Technologies Ltd.

Cisco NAC Appliance, formerly Cisco Clean Access (CCA), was a network admission control (NAC) system developed by Cisco Systems designed to produce a secure and clean computer network environment. Originally developed by Perfigo and marketed under the name of Perfigo SmartEnforcer, this network admission control device analyzes systems attempting to access the network and prevents vulnerable computers from joining the network. The system usually installs an application known as the Clean Access Agent on computers that will be connected to the network. This application, in conjunction with both a Clean Access server and a Clean Access Manager, has become common in many universities and corporate environments today. It is capable of managing wired or wireless networks in an in-band or out-of-band configuration mode, and Virtual Private networks (VPN) in an in-band only configuration mode.

TrueNAS is the branding for a range of free and open-source network-attached storage (NAS) operating systems produced by iXsystems, and based on FreeBSD and Linux, using the OpenZFS file system. It is licensed under the terms of the BSD License and runs on commodity x86-64 hardware.

FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular open-source BSD operating system, accounting for more than three-quarters of all installed and permissively licensed BSD systems.

Junos OS is a FreeBSD-based network operating system used in Juniper Networks routing, switching and security devices.

<span class="mw-page-title-main">Firewall (computing)</span> Software or hardware-based network security system

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

OpenConnect is a free and open-source cross-platform multi-protocol virtual private network (VPN) client software which implement secure point-to-point connections.

The History of the Berkeley Software Distribution begins in the 1970s.

References

↑ "Nokia/Checkpoint firewall". Archived from the original on 13 March 2006. Retrieved 15 April 2007.
↑ "Nokia Acquires Ipsilon Networks, Inc". Archived from the original on 23 March 2006. Retrieved 15 April 2007.
↑ "Welcome to Check Point". Archived from the original on 1 June 2009. Retrieved 2 June 2009.
↑ "The latest Nokia phones and accessories | Nokia Phones US".
↑ "SEC Info".
↑ "Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services".
↑ "Check Point Project Gaia".

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Nokia/Checkpoint firewall". Archived from the original on 13 March 2006. Retrieved 15 April 2007.

[2] "Nokia Acquires Ipsilon Networks, Inc". Archived from the original on 23 March 2006. Retrieved 15 April 2007.

[3] "Welcome to Check Point". Archived from the original on 1 June 2009. Retrieved 2 June 2009.

[4] "The latest Nokia phones and accessories | Nokia Phones US".

[5] "SEC Info".

[6] "Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services".

[7] "Check Point Project Gaia".

[1]

[2]

[3]

[4]

[5]

[6]

[7]