Build Your Own NOC 267
Geminus writes "Ever wanted to build a cheap NOC but had difficulty explaining tech stuff to bean counting managers? Here's the basics on building one for under two grand. Makes for a pretty good dog-n-pony show, and proves useful too! Damn, I want to be an Armchair Network Operations Center General."
Speed kills computers. (Score:5, Funny)
Re:Speed kills computers. (Score:3, Informative)
btm
hmmm...4 comments and it's slashdotted? (Score:5, Funny)
There have been 4 comments so far and the story is already slashdotted!
Re:hmmm...4 comments and it's slashdotted? (Score:5, Funny)
Obviously the Armchair Network Operations Center Generals did not prepare a contigency plan for the slashdot effect...
Re:hmmm...4 comments and it's slashdotted? (Score:5, Funny)
Re:hmmm...4 comments and it's slashdotted? (Score:3, Funny)
Re:hmmm...4 comments and it's slashdotted? (Score:5, Funny)
Sigh! Remember people, it's make comments FIRST, then read the article!
coulda used this two years ago... (Score:5, Funny)
problem was, to sell your services as a NOC, you have to already have it built, which we didn't have...we had a bunch of fake looking tools, though...
where was this two years ago when I needed it...LOL
RB
Re:coulda used this two years ago... (Score:4, Insightful)
Re:coulda used this two years ago... (Score:2, Insightful)
NOC story for funding.
Awhile back the Commander of Cheyenne Mountain was taking a tour of the Pentagon NOC facilities. At one point of the tour the guide showed off a large board of lights all pretty with labels, flashing and so forth. (picture the bat computer and you'll have a pretty good Idea)
Anyway the CO was so impressed by this that when he got back to Colorado he informed the network folk of this grea
Just add... (Score:5, Funny)
Re:Just add... (Score:3, Funny)
"Oops, sorry about that boss. That was a nasty zombie.... whaddya mean that was my raise paperwork????!!!"
psDooM? (Score:5, Informative)
Kind of like psDooM [sourceforge.net] (as seen on Slashdot [slashdot.org]), but at the network level? I'll betcha it could be done.
Slashdotted already (Score:4, Funny)
Nightmares. (Score:3, Insightful)
Just one minor change... (Score:5, Funny)
Change that to Slashdot, Kuro5in, TheRegister, ThtOnion or something else. No CNN please.... if you have any sense of self-esteem, that is.
-
Re:Just one minor change... (Score:5, Funny)
Ok, fine. Make that Fox News then.
*runs for cover*
Re:Just one minor change... (Score:3, Insightful)
Perterson Case
Fox News Alert
Jackson Case
Fox News Alert
Toby Case
Fox News Alert
More Mindless crap.
And this is coming from someone who in the past bought dish network so I could watch fox news. But that is before it turned into all trash, all the time.
Re:Just one minor change... (Score:2)
God does that station play the same annoying commercials all the time, it was horrible. However, CNN generated so many political arguments that work used to fly by. Seeing 9/11 happen live was quite scary. Nothing got done for quite a while after that, as CNN was t
The article. (Score:5, Informative)
How to build a cheap Security NOC
William M. Nett
The Network Operations Center or NOC is the cornerstone of all computer networks. I've worked at AT&T's NOC, been around Government NOCs and seen small scaled versions. Most look like something out of the movie, "WarGames" and surprisingly, whether you're a Linux or Windows fan you can build one for cheap and be your own armchair NOC General.
What does a NOC do? It monitors connections, network activity, spots problems, conducts threat assessments, and calculates scalability requirements with customer demands... it also puts on a pretty good "dog-n-pony" show for potential investors and customers.
What's required? Again, surprisingly not too much! Depending on the size of your company, this can be achieved with as little as an 8' X 10' room, and 4 computers. Trust me, you more than likely do not need a $15,000 Cisco PIX or Nokia firewall (which runs Linux derivatives).
You'll need at least three big monitors (the bigger the better), two smaller ones (17"), a KVM switch, and OOB dialup. Here's the loadout:
1. Firewall: Get a copy of IPCOP... its Smoothwall on steroids and very easy to configure. It has a built in Intrusion Detection System, Proxy logging, and you can use Coyote Linux as a failover if you think you are being attacked. This package uses a web interface, so there's no need for a
monitor, keyboard, or mouse. These software elements are also free. Minimum requirements are a 333Mhz system with 64MB of RAM and a 2.1GB Hard-Drive.
2. Network Monitoring: Download a copy of F.I.R.E. and run it on a barebones 600 Mhz system. Configure and open Etherape on a monitor for an Air Traffic Controller's view of your network activity... bean counters love this. If you're being attacked or infected, you will quickly see where it's coming from. You should also use a receive only sniffer cable on this box to protect integrity... a receive only box has a zero chance of infection as it's physically impossible.
3. Got wireless? Download and run Airsnare with a semi hyped up Wireless antenna, and you'll quickly spot any war-drivers or unauthorized network connections. If you have an old directional motorized TV antenna system lying around you can go uber-elite and connect a cheap phased array panel antenna or cantenna to locate your wireless intruder with NetStumbler. This can all equally run on a 333Mhz Windows based system.
4. Workstation: Here's the beef... a 1.2Ghz, 512MB, 20GB computer, with dual head Matrox card, with dual booting OS (Linux & Windows), Preferably Linux with a Windows VMWARE guest OS. Trust me, once you go Dual-Head, you won't go back. The best Linux Dual-Head OS is SuSE 8.3. Tie this into the KVM to modify any of your servers.
5. Red Phone... afterall, who doesn't want one? You're batman right?
Your first Monitor should be watching CNN or the weather channel (depending on location), the second should be running Etherape, and the third should be running Airsnare or Windows Services Monitors (CPU, Netload, etc.) All of the software here except Windows is free, and easy to configure... except maybe your General's chair. In the end, aside from having your own
WOPR, you have a NOC for just under $2,000.00
William M. Nett
Links:
http://www.ipcop.org
http://www.coyotel inux.com
http://prdownloads.sourceforge.net/biatc hux/fire-0
http://etherape.sourceforge.net/ images/v0.5.5.png An etherape screenshot
http://www.netstumbler.com
http://hom e.comcast.net/~jay.deboer/airsnare/downl oad.htm
Search Now:
E-mail your comments to dougchick@thenetworkadministrator.com
All rights reserved TheNetworkAdministrator.com
Disclaimer: The Opinions shared on TheNetworkAdministra
Re:The article. (Score:5, Informative)
Am I the only one that balks at this statement? Maybe I am missing something but it does seem that even with rx-only you could be infected, just not by any connection oriented protocols? (Or maybe even still if some really strange bug crops up).
Or am I just missing something...
Re:The article. (Score:5, Insightful)
Vulnerability of receive-only (Score:5, Informative)
There are some vulnerabilities for passive monitoring also. A search of CERT [cert.org] database for snort or tcpdump gives you a following list:
A listen-only box gives you some protection but it cannot be the only protection for your traffic recorder.
Re:Vulnerability of receive-only (Score:2)
Re:Vulnerability of receive-only (Score:4, Insightful)
all of which will set off lots of NOC alarms before you even get to the machine.
Re:The article. (Score:2, Insightful)
Re:The article. (Score:5, Interesting)
The idea is that whatever goes on out there will be logged/dumped, but never executed/analyzed, on this machine. And since it has no IP, it does not show and cannot be addressed. So if you have an intrusion, this machine is uncontactable, but still will hold all network traffic for you to analyze later.
Kind of like making
bash# ln -s
Pretty hard to clear up the trace now, huh ?
Re:The article. (Score:3, Informative)
Wrong. Go look up the RPC pre-processing and stream4 vulnerabilities in Snort. I will also add that a very common way to configure a network sensor is to have one administration interface on an internal trusted network and the other passive listen-only interface without the IP on the dirty network. With the snort vulnerabilities your machine could become infected and used to reach your intern
Re:The article. (Score:5, Informative)
bash# ln -s
If I may nitpick
syslog is a wonderfully flexible facility.
Re:The article. (Score:2)
Snort had such a bug once or twice within the last year that allowed a remote attacker to execute code as the user snort runs as (usually people run it as root) just by having the sensor listen to the traffic. Quite spiffy.
This article sucks (Score:5, Informative)
Most of the information is more than obvious to anyone interested in running a NOC (incidently, left out of the Slashdot story is that this is a *Security* NOC).
I've seen random Slashdot posts that would be a lot more useful to someone interested in building a NOC than this thing.
That being said, my own two cents:
If you're using SNMP to manage your network, snmpwalk+scripts is good. If you can stomach not using open source software, Intermapper [intermapper.com] is really nice. Unfortunately, the two big open source competitors don't quite measure up -- Scotty [utwente.nl] is kind of old and grotty and rather TCL-oriented, and GxSNMP [gxsnmp.org] appears to be dead.
Etherape, as suggested in the article, isn't the greatest choice either...IIRC, it doesn't support satellites, which means it needs to be running on the actual network it's monitoring. Not really acceptable for a NOC tool. Etherape is also, in my experience, rather CPU-hungry. There are a lot of commercial traffic flow visualization tools...not sure what's best, as I haven't played with many.
All in all, while the article's worthy of a post in a random discussion, it really isn't worthy of a Slashdot story.
Re:This article sucks (Score:4, Funny)
Then your standards are too high... or you must be new here. In that case, welcome to Slashdot! (Some of us regulars here call it "/.")
Re:The article. (Score:4, Funny)
Of course, then you can say stuff like "Get the Pentagon on the horn!" while smoking a stogie
Re:The article. (Score:2, Funny)
Re:The article. (Score:3, Interesting)
Lol, u can't find wardrivers if they have their transmitters turned off.
lmao...
NOC (Score:5, Informative)
A NOC is a Network Operations Center. It is one room, typically filled with many displays of real-time data which display the health/status of a network.
The scary thing is.... (Score:5, Interesting)
Hard to justify higher costs when your proof of concept is some webpage discovered by your boss, we've all been there.
Re:The scary thing is.... (Score:2)
Trust me, you more than likely do not need a $15,000 Cisco PIX or Nokia firewall (which runs Linux derivatives).
[quote]
what if your boss/manager saw this and decided this is all you needed for your budget?
You will quickly find out if you need a hardware firewall or not.
Re:The scary thing is.... (Score:2)
Of course, with the limited use of the tools mentioned, I'd hardly say that a hradware firewall appropriate for this "NOC" would cost $15,000. Try a $600 PIX 501, if you must have a PIX.
SuSe Linux 8.3 (Score:5, Informative)
1. SuSe 8.3 does not exist, it's in fact either 8.2 or 9.0.
2. There is curently no dual head driver from Matrox Parhelia. Olders Matrox's video card has dual head driver, but they don't work anymore with "recent" motherboard since motherboard's voltage is changed from 3.5 to 5 volts. And yes, 1.2 ghz-era computer are affected by this voltage change.
3. Vmware will be too slow with this configuration do to something really useful. Especially with dual heading.
4. This article is either a fake or a troll.
Re:SuSe Linux 8.3 (Score:5, Informative)
Actually, I agree this article is skimpy on the meat and is pretty much useless and filled with factual errors. However, i'd like to respond to your post
2. There is curently no dual head driver from Matrox Parhelia.
This is of course bullcrock. Matrox does have a driver for the Parhelia based cards which supports, amongst other things, dualhead configurations (and even triple head! Yes, on Linux). The second head is not accelerated however, so it might be a bit on the slow side.
3. Vmware will be too slow with this configuration do to something really useful. Especially with dual heading.
Oh please. Dualheads do not noticably affect the speed of the computer it's running on. Plus, i've run Windows installation within VMware on a P2-333 with a Linux host, all running a very good speeds and using only 288 megs of RAM (2x128 + 1x32). At work, we have a workstation that's a P3-1.0ghz and it runs 2 VMware sessions with Windows 2000 Server for tests, on a Linux host busy running most of our NOC tools. This is all nice and dandy and running along smoothly.
4. This article is either a fake or a troll.
Actually, it's not fake since it's posted there and I don't believe it's a troll since you can see a basis for something in there. It's just very badly researched and probably as never been tested in real life. This guy needs do to a lot more trials and research before he has a fully functionning NOC capable of monitoring more than the coffee machine.
For a real opensource NOC (Score:5, Interesting)
1. A good network management system (Open-NMS)
2. A good systems monitoring system (MRTG+RRD Tool)
3. A good helpdesk software to follow trouble tickets.
Re:For a real opensource NOC (Score:5, Insightful)
Some people might find this puzzling, but the best NOC systems I've used on tight budgets were homegrown applications, usually after trying out and discovering the deficiencies of the open source tools. It isn't that hard to write a good NMS, but once someone rolls their own good one in-house, it rarely gets released into the wild. For that matter, many of the commercial packages are steaming piles, so if you have a talented programmer or two on staff, you can add value to your company by just writing your own NMS and not waste time with mediocre packages.
This is one of those things that SOMEONE could do well in the open source domain, but I haven't seen it. When someone hacks together the foundation of a really slick NMS at some company that needs it, it inevitably becomes a competitive asset and therefore cloistered in the bowels of engineering. Having a killer NMS is a significant competitive advantage, and the field is populated with enough mediocre solutions right now that there is significant financial pressure to keep NMS code bases proprietary.
No thank you! (Score:2)
Now that I doubt.
Just in the last year, I've had to introduce 3 differe
Re:For a real opensource NOC (Score:2)
My NOC is 66 square feet,3TB of traffic (Score:5, Interesting)
Re:My NOC is 66 square feet,3TB of traffic (Score:3, Informative)
It is very simple mathematics, and a bit has to be knewn before actually trying first time(that little is that you know you can try it out:D)
Anyways, when everyone else offers server hotel services for 150e/month minimum, this is being 1:10 shared 10mbps half-duplex con, sharing based on 'best-effort'(no qossing even oO;), with a max of 5ips... and at MAX nameserver usage for _1_ domain.
Well, with simple arrangements, i managed to cut the price to half, plus increase the bw per user (1:7
Mirror (Score:5, Informative)
Re:Mirror (Score:2)
My NOC is my PowerBook. (Score:3, Insightful)
It just isn't necessary, anymore.
Re:My NOC is my PowerBook. (Score:4, Insightful)
If you're talking about corporate networks, you're probably right. But if you're talking about hosting companies, ISPs, companies that host their own critical infrastructure (like those you listed above), then the NOC, in some form or another, makes sense, doesn't it?
Re:My NOC is my PowerBook. (Score:2)
24 days per month, 7 hours per day, 265 days per year is pricey? That is good reliability in an all micro$oft environment
the AC
NOC's Have a Purpose (Score:4, Informative)
There is NO way a laptop can replace a NOC in such a case. You need a centralized area where everything is monitored. As for remote administration, it's always been pretty decent with Unix (and in our case it's linux mostly) but that just helps the NOC become more useful for us.
Please hook me up with your vendor! (Score:5, Interesting)
The article calls for:
1) At least three big monitors (the bigger the better), two smaller ones (17"), a KVM switch, and OOB dialup.
2) A 333Mhz system with 64MB of RAM and a 2.1GB Hard-Drive.
3) A barebones 600 Mhz system
4) A 333Mhz Windows based system.
5) A 1.2Ghz, 512MB, 20GB computer, with dual head Matrox card, with dual booting OS (Linux & Windows), Preferably Linux with a Windows VMWARE guest OS
All the above for under $2000.00? Can we also assume that the author works for free, so that setup cost is $0.00? I haven't priced VMWARE in a long time, but if memory serves, that should be near or over the 2K mark by itself. Perhaps the author meant under $20,000.00? What am I missing here folks?
Re:Please hook me up with your vendor! (Score:5, Informative)
You need to refresh your DRAM. VMWare Workstation 4 costs $299 from vmware.com. The rest of the stuff can be had for free, more or less. 17" monitors are $100 a pop new (CRT, that is), the 1.2GHz box can be built new for around $200 (1300 Duron, 256MB RAM, 40GB disk) and the rest of them are dumpster-diving fodder. The only things in his list that actually may cost Real Money (TM) are the big screens, but you can get old 24" Sun monitors on Ebay for a song and maybe a little dance and then you just need to get/make a VGA-Sun adapter to be in business.
Re:Please hook me up with your vendor! (Score:3, Informative)
Maybe not, but that's what I pay (in parts, not counting time of course) in Sweden. The Duron is $30, 40GB Seagate Cuda $50, box (Q-Tec smiley) $20, RAM $30, an Asus MX all-in-one mobo for $40 and with floppy, CD, rat, keyboard and cables for another $30 you're home. Or, if you don't want to build one yourself, go to Walmart [walmart.com] - they have several sub-$200 models, with or withour Lindows, hell they even have one for a few dimes under $160 [walmart.com] (no harddrive in that puppy, but I bet it
Re:Please hook me up with your vendor! (Score:5, Interesting)
Most of what he calls for can usually be gleaned from the office "PC Bone Yard". The most expensive item is the big dual head computer with associated software. Getting it all for under $2K would be a challenge, but not impossible. As for working for free - he set this up for his employer (An assumption - I'll RTFA when it's not
Sliping stuff you need in under the coprorate radar is easily done with FOSS. When setting up a NOC, if you spread any purchases you need out a bit most of them will be cheap enough that they can be bought on an expense account or with petty cash - you avoid Budget Comittees and/or the Accounting Dept. Call it a "Test Case", and use it to prove that a NOC is a good investment, not just some toy or geeky buzzword. Being able to have concrete numbers that say "See? My NOC isn't really expensive, but it adds a ton of value." will keep the bean counters happy. Once the NOC is in place and you show it has value, you will get to keep it - and sometimes expand it.
This is one of the ways that FOSS shines - you can (most times) just get the job done without getting caught up in coprorate red tape, since the inital capital outlay is usually minimal.
Soko
Re:Please hook me up with your vendor! (Score:2)
Soko
Re:Please hook me up with your vendor! (Score:3, Funny)
Re:Please hook me up with your vendor! (Score:2)
Re:Please hook me up with your vendor! (Score:2)
Basement NOCs - They're the Future! (Score:4, Funny)
Basement [Museums] - They're the Future! (Score:2, Funny)
Re:And furthermore... (Score:4, Informative)
Quick explanation for the shot. It's a stitched together panorama shot, using software. It didn't come out like I'd like it to, so I will obviously have to retake it at some point. There are two lisas; there's an artifact of the one lisa looking like two. If you look around it, the shelf blends as well.
Other machines in there that might not be obvious: Vic-20s, C-64s, Apple IIc, Apple IIs (5), Macintosh SE (painted cow colors), Sun Ultra 2, Amiga 500s (3), Commodore PET (my first computer, given to me by dad when I was 9), Atari 800, and a metric ton of PC Compatibles. Oh, and a Microwave.
As for the tree, my home is about 110 years old, and they used actual tree trunks for supporting beams. Multiple inspectors say they're as good or better than other choices for supports, so they stay. I like them, and they're great conversation pieces.
Re:And furthermore... (Score:2)
I got an unresolved hostname from your link. Added "www" and connected.
Re:Basement NOCs - They're the Future! (Score:3, Funny)
Re:Basement NOCs - They're the Future! (Score:3, Informative)
Even though this thr
WTF? (Score:2, Interesting)
WTF has Dual-Head support to do with the distribution?
Re:WTF? (Score:2, Insightful)
t
For those with a higher budget (Score:2)
Glaring omission! (Score:4, Funny)
Re:Glaring omission! (Score:2)
- You can't let any Russians into the room to view it.
"But he'll see the big board!"
For those of you wondering about "F.I.R.E" (Score:5, Informative)
The Christmas tree (Score:5, Interesting)
But onto my point.
Biggest thing about a noc, is you need to see the alarm, other than taking action, missing an alarm is the worst design flaw. Filter, Page, auto-ticket, there are many things a professional NOC can lend some experience on design. Not everything has to cost, in fact many opensource software works great. (Big Brother anyone?)
BTW, windows and vmware? Pfft.. Worst thing you want is a crash in the middle of working, Solaris and xterms. Eye-candy is the worst thing to get in the way of working outages.
Humm, also a good ticketing system is important, if you want to page out someone, you need to have enough detail for the person to do their job.
Oh yea, give me an Aeron [google.com] Chair also. I know, its
Akamai NOC Tour (Score:3, Interesting)
Pictures of Akamai's NOC also were in the Wired article about the Slammer Virus a few months ago.
Re:Akamai NOC Tour (Score:3, Informative)
Akamai NOC tour [akamai.com]
Wired article about Akamai's 'gods-eye' view of the Slammer virus [wired.com]
You really don't want to work there... (Score:3, Interesting)
Essentially the job is: Stare at network map, wait for thingys to blink, make calls.
Yalla.
Dual-headed video (Score:5, Interesting)
In the same vein, nVidia included a really nice feature in their latest drivers (I think it's been around since the 4x.xx series, but it wasn't as refined) that lets you "throw" a window. Pure genius, whoever invented that. With 2048 pixels of desktop space, it actually takes over an entire mousepad to move a window across the desktop. With throwing, I just flick my mouse. If I have a few IM windows open, a few Putty terminals, etc etc, it's great to just get stuff out of the way real fast and put it all into a known area.
NOC (Score:2, Funny)
or
as in Network operations center [acronymfinder.com]
please say no to unexplained acronyms (Score:5, Insightful)
Nagios... (Score:4, Informative)
Retro-NOC (Score:2)
The SFFD fire dispatching center used to look like that. Now it's just a roomful of PCs.
Worthless article.. (Score:5, Interesting)
I could just as easily post an article saying 'Get *4* Tires, *2* axells, and engine, and a few other things. Toss them all together, and you just made your own CAR!!'
I mean cripes. It's not talking about ANYTHING besides 'buy cheap puters and put neat graphics up'.
I've had bosses that could have written this article.. Heck, I bet they did. 'Whatcha wantt a fluke for? I mean, we BUILT you a NOC for a grand!!' Bear in mind, the 'NOC' was a closet with two monitors I salvaged..
I dunno, perhaps I'm just getting old but..
I fee like I just wastes a good minute of my life reading that..
Find me this article instead. (Score:2, Funny)
You can probably get it under a grand (Score:2, Insightful)
Forgot the most important things (Score:5, Funny)
There's something missing (Score:3, Funny)
What's the point of being Napoleon and BOFH of your own NOC if you don't have lusers to abuse? I think I might have an answer, however.
Tapping the vast pool of cheap out-of-work IT workers, LUSERS'R'US can provide a simulated load of lusers on your network -- Even with an adjustable rate of phone calls with silly-assed questions and problems for home NOC commanders to deal with.
If you want to be a real BOFH, you can't reign in hell without some damned souls to boss around. You need us. You need LUSERS'R'US!
This article is great... (Score:4, Insightful)
Author should mention either hopping on eBay and getting a used rackmount UPS or building a battery backup yourself using car batteries. As crude as it sounds if you have the space (a seperate room) you can build a huge battery back up system for (relatively) next to nothing and be able to simply add more batteries for longer uptime, etc.
CNN (Score:5, Interesting)
ummm (Score:3, Funny)
where's the fun in that? (Score:3, Funny)
Re:NOC???? (Score:3, Informative)
Re:NOC???? (Score:2, Funny)
(outside IT that is)
Re:WOPR (Score:2, Informative)
from the movie War Games
Re:WOPR (Score:5, Informative)
You know, the movie that made it absolutely *impossible* to get a dial-up into any BBS in the country for about 3 weeks after the movie came out...
Then again, I've been hacking around since about '76, so maybe I'm just showing my age...
Re:WOPR (Score:2, Informative)
Considering the earlier reference in the article to WarGames, I think it's safe to say they are using WOPR to mean "War Operations Plan and Response".
Re:WOPR (Score:5, Funny)
You can turn in your Geek ID on the way out, as you won't have any further need for it. The geek that has not seen WarGames [imdb.com] is not the true geek.
Re:WOPR (Score:4, Funny)
"WOPR, large Fries"
Secret password (Score:2)
Re:That was fast (Score:2)
Its like that cult who used to sell instructions on how to make your own UFO for $1000. Sure you can build something that you can call a NOC for $2000. But it won't be capable of running anything of importance. A slashdotting is pretty low on the scale of DDoS attacks.
A NOC is in large part a stage set. The purpose is to impress the customer. You are not going to be able to convince anyone that you are protecting important informat