Nokia IP290 (running CheckPoint VPN-1 and Secure Platform)

Score: 3.94

Editor’s note: This is a summary of our testing of this product, for a full rundown of how it fared in our testing across ten UTM categories, please see our full coverage.

The Nokia IP290 is a recent addition to a long-lived line of security platforms from Nokia. The IP290 sits roughly in the middle of Nokia’s current IP-series platform lineup, with a few slower and faster systems on either side. The IP290 is a 1U high, half-wide device — Nokia shipped us two of them in a side-by-side configuration, making the IP290 the most space-efficient, power-efficient and quiet firewalls we tested. The IP290 comes with six 10/100/1000 Ethernet ports, and a slot for an add-in card to add capacity.

For a discussion of the Check Point firewall software running on the Nokia IP290 appliance, see story about Check Point VPN-1 UTM Gateway. This summary discusses only the Nokia IP290 appliance itself and Nokia’s IPSO operating system.

The IPSO operating system, used to manage nonfirewall features, such as dynamic routing and IP addresses, is controlled through the Voyager Web interface. Because Nokia and Check Point have been shipping Voyager and IPSO to our labs for Check Point firewall and VPN tests for years, we’ve come to appreciate the power of IPSO, a BSD-derived Unix, at letting us manage different versions of both firewall and operating system easily, as well as other operating system features (such as dynamic routing) that are not well covered in normal Check Point Secure Platform operating systems. In addition to the Voyager Web interface, two command-line interfaces are also available.

Nokia offers a number of features as part of its IPSO operating system, including three that proved to be key in our UTM testing: clustering, dynamic routing and IPv6. IPSO clustering, a load-balancing high-availability feature, is included in the IPSO base. 

Although we had problems with one of the NAT configurations we tested (a bug Nokia is still working on), the clustering worked well to scale up the performance of the IP290s.

Nokia also offers a more traditional active/passive high-availability configuration using Virtual Router Redundancy Protocol (VRRP), or you can use Check Point’s own high-availability features if you want. Dynamic routing is a core strength of the IPSO operating system; in fact, it was a dynamic router before anyone ever put Check Point software on it. Both Nokia’s own HA features (clustering and VRRP) and dynamic routing are included with IPSO, which can save you significant license fees if you require them both over using Check Point’s Secure Platform.

The IPv6 feature shows that Nokia has been an early innovator in IPv6 products with many Nokia engineers actively participating in writing the IPv6 RFCs — for example, Nokia engineer Bob Hinden has his name on 19 of the IPv6 RFCs.

One of the strangest experiences with the Nokia platform was when we tried to do antivirus scanning in a VLAN situation. It doesn’t work, and it’s documented not to work. For some unknown reason, this isn’t supported on the versions of IPSO and Check Point we tested.