Purpose

This document will provide standards for the configuration of Nokia IP Security Appliances.  These standards will provide continuity across the enterprise for all Nokia Appliances.

Background

Nokia IP Security Appliances are purpose built security devices, which are deployed at strategic locations throughout the Corporate Security to run Check Point Firewall-1.  These appliances run a hardened operating system called IPSO which is a derivative of FreeBSD Unix.  It is important to note that some configurations will be device dependant due differences in the Nokia models.

InterFace Configuration

Each interface that configured will:

• Have Link Speed and Duplex Hardcoded
• Have Autoadvertise and Flow Control disabled

Each interface that not configured will:

• Be disabled in the physical and logical configurations

ARP

Static ARP configurations will be network design dependant.

Transparent Mode/Link Aggregation/FWVPN Tunnels

• Not Configured

System Configuration

• DHCP/DNS
• Not Configured

Disk Mirroring

Device Dependant:  Disk based systems with two hard drives will have disk mirroring configured.

Optional Disk

Device Dependant:  Flash based systems which are purchased with an hard drive will be configured in Hybrid mode with Optional Disk parameter.

System Failure Notification/Mail Relay

• Not Configured

Time

• All Corporate Security devices are set to GMT

Host Address

The Host Address will be set to the Management interface of the firewall.

System Logging

Network Logging:

• Set to On
• Primary Log Server: XXX.XXX.XXX.XXX
• Threshhold 0%

Local Logging

• Set to Off
• Flush Frequency: 4 Hours

System Configuration Audit Logs

• Logging of Transient and Permanent Changes

System Voyager Audit Logs

• Enabled

Core Dump Server

• Not Configured

Hostname

The Hostname is configured as part of the initial setup and should not be changed.

Configuration Sets

Left to default configuration of “initial”

Job Scheduler

A Cron called Delete_Old_Backups is set to run on the 6^th day of each week at 23:00.

Backup/Restore

A backup the default directories, /config and /var/cron is set to run on the 6^th day of each week at 23:15

Images

• Only one IPSO image will be kept on the system

Packages

• Only the Check Point and CPInfo packages will be Enabled

AAA

Authentication of users will be facilitated by the following radius servers

• XXX.XXX.XXX.XXX

SNMP

SNMP v1/v2/v3

Read Only Community String: U4Ria$a

• Trap Receiver: XXX.XXX.XXX.XXX

Trap Community String: $Shadow!r3m0N

Traps:

• Enable linkUp/linkDown traps
• Enable systemTrapConfigurationChange traps
• Enable systemTrapConfigurationFileChange traps
• Enable systemTrapConfigurationSaveChange traps
• Enable systemTrapNoDiskSpace traps
• Enable systemTrapDiskFailure traps
• Enable vrrpTrapNewMaster traps
• Enable systemFanFailure traps
• Enable systemOverTemperature traps
• Enable Authorization traps

High availability

VRRP

VRRP will be configured using Legacy Mode.

• Accept Connections to VRRP IPs: Enabled
• Monitor Firewall State: Enabled
• Each Clustered Interface will be set as a Monitored Circuit
• Priority: 100 & 95 on the Primary and Secondary respectively
• Hello Interval 1
• VMAC Mode: VRRP
• Preempt Mode: Enabled
• Each Cluster Interface will be monitored by all other Cluster Interfaces
• Priority Delta 10
• Auto-deactivation: Disabled
• Authentication: Simple
• Password:  Firewall Name.Interface Name

Security And access

Users

The Following Accounts will be created on each Firewall

• Fwbackup (Used to pull System Backup files)
• User1
• User2
• User3
• User4 – 8

Network Access and Services

• The only Network Access that is enabled is “Allow Admin Network Login”
• All Services are Disabled

Voyager Web Access

• Voyager Web Access is set to;
  • “Require 128 Bit Encryption or Higher”
• Encryption use a Self-Signed 1024 Bit X509 Certificate

SSH

• SSH is enabled to allow SSH v2 only

Routing

• All Routing configuration will be network design dependent.

Traffic Management

• Not Configured

Router Services

• Router Services will be network design dependent

NTP

NTP Masters are:

• xxx.Xxx.Xxx.Xxx
• xxx.Xxx.Xxx.Xxx

www.bestitdocuments.com