Slashdot Mirror

See my subject & this link: No denying it /https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785b [slashdot.org] & it's FAR from a complete list (even though it shows 100's of router security + inefficiency issues).

Your argument is so old and tired I get a /. 404 error, seriously I do. That said anyone who is using the factory provided firmware on a consumer router/firewall is dumb. OpenWRT or DDWRT are much better choices that offer better security and better options. Or if you prefer go and drop pfSense on some "powerful" but inexpensive hardware. As you will have a device like these between your computer and the internet I don't see how an argument about cost is an issue as you have your modem connected to the internet (DSL or Cable) and then either a router or firewall that your other gear sits behind. Depending on what hardware you have and layout your setup behind the router or firewall will vary greatly. * LMAO - again, that's you "networking menials" (that can't program their OWN solutions because you're limited) to a tee

Not a millennial (I assume that it what you meant) by a long shot I do actually program and have through my employer contributed to a number of open source projects. You may have heard of a few of them.

WRONG! I don't understand "layered-security"/"defense-in-depth"? I wrote guides on it that even GOT ME PAID https://www.google.com/search?... [google.com]

Guess what I have contributed to guides on securing systems and am paid by my employer to do so when new versions and updates are sought. The difference is that what I have contributed to are respected and well known.

Also it looks like you are a bit to copy/paste happy as I see you are getting frustrated and double posting (see above and below). You really should look into getting treatment for your ails as something does appear to be wrong.

I would argue that they are doing this in the best interests of us, not shitting on us. I for one am glad to see the old maintainers go. They have not been very supportive of us (the community). They constantly had a god-like attitude and seldom helped if anyone had run into an issue. The only people that ever seemed to help were the Nagios company employees. Here is the other side of the fence: http://www.nagios.org/news/77-news-announcements/367-nagios-plugin-team-changes

Did you see this? Sure seems to explain things. Sounds to me like you just have some personal issues with them? http://www.nagios.org/news/77-news-announcements/367-nagios-plugin-team-changes

OP should check http://www.nagios.org/ now. It's up.

I've seen dozens of methods at different companies, but I've only ever seen one that works and it works really well. Many of the top ISP's use a variant of it.

Let the network self document.

What does that mean? Well, typically it means some discipline in how descriptions are written. For instance ISP's will use a standard customer identifier on all ports. An enterprise might just use hostname. From there, tools like Rancid can poll router and switch configs, store them in a version control system, and mail out changes to the entire staff. Rancid is great to use, because it reduces the human work load down to entering a single line for each device (name and OS type), and making sure that the device accepts logins.

Now that all the configs are archived and you have the one true list of devices it's trivial to take that list of devices and feed it to other tools. One of the first might be NetDisco which probes the devices with SNMP and builds adjacency tables, tracks MAC addresses, and so on. From it's database you should be able to locate anything on the network in seconds.

Now that there is a complete picture of the network, it's time for a little scripting. Take the output of Rancid and/or Netdisco, and use it to for instance build an MRTG configuration file, or a list of things for Nagios to probe. It's fairly easy to take the NetDisco adjacencies and run them into a tool like GraphViz to produce a network diagram.

I know of at least two ISP's using this basic formula, and it works really well. Going to an internal web site they can bring up diagrams, usage graphs, MAC tables, IP information and all sorts of other things about any device in the network in seconds. Once devices are in the system it is 100% automated, turn on a new port and it is magically graphed, MAC tracked, and added to the diagrams. Turn it off, it magically goes away. Everything is in version control so old state can be reconstructed. The only human manual intervention is adding/removing one line to the Rancid config when a device is turned up or turned down. I have even seen folks automate that with Netdisco (but, I think that can be problematic, as it's almost circular).

Spreadsheets, Visio diagrams, and the like are always out of date. Someone will always make a change and forget to update it. Some places are only a little out of date, most places are downright wrong. Self documenting is achievable, and always 100% current.

Nagios isn't too difficult to set up to monitor lots of things, and lots of useful uptime metrics for every service, planned and unplanned maintenance, etc. fall out quite naturally from it. And you can kinda just keep adding modules to it into it and grow it until it's full of awesome.

I haven't personally used Redmine yet, but have been using Trac and everyone seems to agree that Redmine is the clear successor in terms of lightweight but capable trouble-ticket / project / task management systems.

Don't forget to add Nagios as well for tracking the status of the server(s).

Cacti is great for graphing performance, capacity planning and spotting anomalies while Nagios is tops for monitoring / alerting. I have worked with many different monitoring tools and suites both commercial and open source. A well configured Nagios / Cacti solution is hard to beat for stability and usability.

This is slashdot, OF COURSE you should use Nagios!

And to increase your /. Kung-Fu, buy an EM01;
http://www.nagios.org/products/environmental

Learn Nagios the FAN way;
http://fannagioscd.sourceforge.net/drupal/

or play with GroundWork, they're awesome;
http://www.groundworkopensource.com/community/community-edition.html

(Yes, I actually run this in a real data center, we eat our own dog food.)

I was recently in a similar situation and I was the one who had to figure it all out due to lack of documentation. The main things that I did were to map the network and create updated diagrams. I did this by using a bunch of utilities both commercial and open source.

Create a list of UIDs and PWDs and maintain them in a program like PasswordSafe. http://passwordsafe.sourceforge.net/

Map all the switches using a program like netdisco. Depending on your equipment, it can find the uplinks and map the network for you. Otherwise, fill in the neighbor information on your own. http://netdisco.org/

Setup monitoring with Nagios and set the parent/child relationships using nagios. Make sure the map is accurate. Monitor all critical network services such as routers, dns, wins, email, proxy, fw, etc. http://www.nagios.org/

If you're not going to graph service data with Nagios, do it with Cacti. That will provide historical/trending data that is important for future network related decisions. http://www.cacti.net/

Create high level network overviews using Visio. Solarwinds LANsurveyor Express is very useful for automating network maps. http://www.solarwinds.com/products/LANsurveyorExpress/

Make sure you have good backup configs of all devices. A tool like Kiwi CatTools will automatically backup the configs for your devices and even alert you to when configs have been changed. It's great for change management purposes. http://www.kiwisyslog.com/kiwi-cattools-overview/

How is open source a better solution when your only source of troubleshooting is Google?

I've used a number of Open Source products on my network here, (Nagios being one) and I tell you, when I have a problem it's next to impossible to find support. At least through a paid closed source application, you typically get a support contract along with it.

http://www.nagios.org/support/

That was the first hit from Google. Your real name is Sam Ramji and I claim my $5.

There are plenty of companies out there that provide contracted service for open source projects. I personally for 12 years have provided paid, per-incident support for Apache, Nagios, Cacti, Amanda, Sendmail, Postfix, Spam Assasin, and Snort\IPTABLES (IDS) firewalls. I have since retired from geek work (I work at a bank now) but I had no problem meeting ITIL severity SLAs including 15 min response, 2 hour fix windows for most production issues.

On top of that in 12 years I've only had 3 sev 1 calls come in on linux\bsd systems I built and all 3 were hardware failures ultimately. There are plenty out there, just, well ... Google them :)

Here I help:

http://www.nagios.org/support/servicepartners/

Start there for Nagios. ISP and VM hosts can often provide Nagios pager\cell\SMS support for servers you host with them also. Just ask.

Cacti.
Ntop.
Nagios.
MRTG.

Did you know that Exchange performs like crap when you run low on local disk space to keep the data.

Why is your Exchange server running out of disk space? Don't you have automated monitoring of your server with something like Nagios? Aren't you using something like NagiosGraph to trend your disk space usage and plan upgrades before you run out of space? Aren't you setting quotas so that users can't dump 10 gigs of data into their email accounts overnight?

Does the hardware have a console with a network port?

Examples:
- On DELL systems, there are these DRAC cards allowing a https connection to the console.
- On SUN hardware, there is ILOM (x86) and RSC (sparc).
- IBM xSeries has this thing.
- You may be to connect a serial line to ttyA from another server to 'tip' for console, making the security a little easier. See this.
- I'm sure there are others for HP, etc...
- Fancy "KVM swicthes.
- There may even be a 3rd party PCI option

Advantages:
- Console sessions require login/pass (some even accept keys)
- You can set your firewall rule to specific IP endpoints
- Minimal cost
- Minimal techy techy knowledge
- No extra software to install

To solve your 'tail -f' requirement; run nrpe/nagios, or even simpler use *.* @loghost in /etc/syslog.conf and set the correct loghost in /etc/hosts.

I understood that you presently run X11, if that isn't necessary with a hardware option and shipping logs, you may be able to run a straight terminal on the host. Unless, of course, your number cruncher requires it.

1. Deny IRC traffic at your firewalls. If there is a business need for IRC then setup a IRC proxy, or inline authentication. This simple step will stop many of the bots out there from phoning home.

2. Enable reverse path detection on your network devices. This forces your internal routers to check whether the source ip address that the bot is sending, is available out the interface that your comprimised host exists on.

3. Enable DHCP snooping on your edge switches. By configuring this feature the switchport that your host plugs into passively observes what IP address was given to your computer. If traffic is spoofed (a common occurrence for botnets) the switchport effectively shuts your host down.

4. Monitor your network. There many free and commercial products that will make it clear that your traffic profiles have changed. Some good free tools for this are Cacti - http://www.cacti.net/, Nagios - http://www.nagios.org/ and NTOP - http://www.ntop.org/

5. Utilize update antivirus technology, hopefully one that reports to a central console. These are simple steps, that frankly most people do not use in their networks. If they would the botnet issue would be greatly minimized.

There is no standard way of monitoring RAID/Fans/Hardware failures

Basically, there's not one bigreason SunRocket went under, but rather a few smaller reasons that added up. The main one being that there was too much focus on bringing in management from the outside (mostly from AOL) instead of promoting from within. Also, employee retention was a big problem. When you start seeing early employees of the company quitting or getting fired, it's very demoralizing to those still there.

I ended up leaving after I was involuntarily transferred to another department (which was supposed to be temporary, but my requests to go back to my previous department were ignored), I had a director-level non-techie jerk that had been hired from outside SunRocket placed as my immediate supervisor, and they decided to blow hundreds of thousands of dollars on network monitoring software when we in the process of doing the same thing with Nagios and/or OpenNMS & saved big money.

To all of the former customers of SunRocket, as well as anyone considering hiring a former SunRocket employee: just about all of the non-management folks (especially the support personnel based in the US, & the technical groups) were the most competent group of people I have ever worked with, and the majority of them did care about providing the best VOIP service possible.

Nagios is a great tool, might be just what you need. Completely free and open source. Check it out:

http://www.nagios.org/

Nagios is another good option. http://www.nagios.org/

I got done reading this, and it's pretty dumb.

"If you're a big company, you already have a security team. If not, hire one." DOH!

That smacks me of the same kind of response from slashdot about legal advice... "Im being sued by the RIAA, should I ignore it?"

Still, why not gander around and see what the the real security experts and such say about such matters:

The Coroners Toolkit Tools for Unix

Nagios detection suite

Honeypots for 'sticking hackers'

And there's the wonderful tools in the Linux kernel for bridges and such that can be made to monitor data as if there was no computer there at all. Also, PF in FreeBSD can route and filter based on much more criteria than Linux netfilter can (like via OS).

You should have a secure layout of your network along with a respectable sensor network. The Sensornet should be separate from the general network.

If you already work in IT, these things should be obvious, as it is the similar measures required for data recovery on non-hack problems.

There is a number of alernative Open Source monitoring software available. Nagios, Cacti and my favourite ZABBIX. ZABBIX is much less resource hungry comparing to Nagios and especially to OpenNMS.

Nagios is a fairly easy-to-learn, extremely extensible (can you use a scripting language?) monitoring system. It scales reasonably well, distributed stat gathering, can respond to SNMP traps, etc. Not the easiest out of the box (you'll spend a day or two learning to use it and set it up), but there's very little you can't make it do.

Nagios has been doing Open Source security since 1996 and looks much the same.

This sounds a lot like Nagios. From TFA I couldn't see anything Munin and Monit would do that you can't do on Nagios with a few plugins. Just a plug - Nagios is beautiful, it makes nice graphical representations of load, hits, throughput, and about anything else you can think of.

It was only a few weeks ago that Nagios announced that they'd be working with the Splunk project. Details are here.

Role
I work 60-70% of my time as a member of the core consulting team here and the rest of the time on "IT" administration and management around the local office. I should note though that I am a software engineer first and fore most, but it so happens that in small businesses one must wear many hats. Last year I was also heavily involved in accounting activities and managed a marketing program.

Scale
I only have 30 workstations and 27 servers (only 2 are publicly accessible and 8 are in a RCF) to worry about presently:

Culture
It should be noted that my users are technically very competent, which is a totally different can of worms to you (I assume from your comments), but there are plenty of issues to guard against with too competent a user as well!:) The issues are just different.

Environment
Server OS: RHEL 3
Workstation OS: Fedora Core 4 and 2 MacOS X (those damn graphic designers/marketing folk!:)
VPN Server OS: NetBSD 3 (runs on an Alpha box)

Software Tools
SCM: Subversion http://subversion.tigris.org/
Issue Tracking: Trac, which integrates nicely with Subversion http://edgewall.com/trac/
Internal Documentation (for future growth): Trac's built-in wiki http://edgewall.com/trac/
Web Server: Apache, mod_python, mod_ssl, mod_dav, and all that good stuff http://apache.org/
Knowledge Base: OpenCyc (but looking for something better that is still open source)
Intranet Framework: Python 2.4/TurboGears/Apache/mod_python http://python.org/ and http://turbogears.org/
Authentication: Fedora Directory Server (LDAP)
Updates: Yum, up2date
Server Monitoring: Nagios http://www.nagios.org/
[Internal] Remote Access: ssh and Gnome/VNC for the rare visual task
[External] Remote Access (i.e. VPN): OpenVPN

Internal Tools
Fixed Asset Management: Rolled my own TurboGears Web/AJAX application that hooks into our accounting system (it took 3 days part-time).
Backups: Rolled own Python backup mechanisms including scripts
Deployment Tools: Using Python's autoinst http://autoinst.tigris.org/
Continous Integration: I have started using Bitten instead of using cron and shell scripts to launch Python distribution builds and tests on a nightly and "continuous" basis for immediate feedback - something I find invaluable.

Office Software
As mentioned in a previous posting using a good calendaring tool is a very good idea. My recommendation is the Calendar extension for the Mozilla suite of tools.

Interesting, since I work in Higher ed. Hold on while I check Protege which I use to map our enterprise. Oh, I see that over 80% of our logical servers are running Linux, either Debian, Red Hat AS or Cent OS. It appears that we are using typo 3 for our CMS. It also looks like we are using uPortal for our web portal and CAS for our Web ISO. Looks like we're using Nagios for monitoring, plus other open source projects in various areas. I also see heavy dependance and use of PostgreSQL and MySQL.

Let me check what services have given us the most trouble. Oh, I see it's our closed source applications.

But, I guess they know best. So I had better shut all of this down.

If your intent is to detect network troubles, I recommend using some system like Cricket or MRTG to graph the interfaces as well as the Errors on the interfaces within the network. This may require some finesse in setting up for the first time.

Aside from that, Sysmon was written primarily to monitor hosts and the host based services, but was morphed also to monitoring networks. It may fit your needs as you can set up SNMP thresholds of network errors and other things.

If you want to be super-lazy, I would download the trial of Intermapper it may be able to find these troubles for you if you can SNMP poll the devices and has auto-discovery. I've not used it in awhile, so hopefully it has support for the platforms that you are using.

ntop
Nagios
MRTG
Cacti

By touching it. There's always an assistant named Murphy looking over my shoulder, but she usually waits until I'm in the shower or leaving on vacation before "helping".

Your question is really "How do I introduce layer 1 and 2 problems into my home LAN, since all layer 3 routing is limited to a NAT box with a single default route?". The lower layers are a good place to start, since half of all your problems come from there, save the routing problems for a future ask/. question.

Others have already pointed out the joys of having dueling DHCP servers, subtly mis-configured DNS servers, overlength cables and the like. Keep an eye out for others throwing out bad ethernet cables with broken catch-tabs, frayed insulation, sharp kinks or intermittent wiring, and put them into critical places in your network. They may not fail right away, but will wait until you host a lan party at your place or you have a few hours to get a report done. Her name is Murphy, she's a bitch and she'll gladly pay you a visit when you least want her around.

Start to learn what kind of traffic is on your local network. Get ethereal, snort and ntop running, and see what the packets look like. Chances are you'll find some things that look suspicious, you'll learn a lot by figuring out how DHCP handshakes work, how often ARPs happen, what other protocols are on your net besides IP. Since you are running a BSD, you can pretty safely put the box on the outside of the firewall (it probably is the firewall) and watch all the constant crap scanning the internet. That's a great way to learn how to tune firewall rules by hand, and you will break things along the way.

To really start to learn how layer 2 networking almost works, grab some old cisco kit off of eBay. I've seen 2900 switches for US$20. Plug something slightly pro into your network, start simple, just get a cheap used cisco/hp/3com switch off eBay that can do 802.1q vlans, spanning-tree, and snmp. Your BSD ethernet card can be configured to do .1q, so there is a lot of learning there by creating multiple separate vlans, one for each machine. A single router and switch with 802.1q vlans can make some pretty complicated networking topologies without massive amounts of wiring. Then you can break your network by plugging a crossover cable into two ports and watching spanning tree open up one of them. Bonus points if you create a topology where by creating a spanning tree loop, your main gateway or server port is the one that goes into blocking mode (you need a minimum of two switches to do that).

To break things in subtle and non-obvious ways, try changing your address ranges from the usual 192.168.0.0/24 to something unusual like 172.31.255.16/29, doing the netmask/subnet/broadcast calculations in your head for practice. Then misconfigure the netmasks on each device, notice how one machine can ping another, but not the other way around. Try building multiple separate segments rather than multiple subnets on a single wire, this will force traffic to use your router, and really show netmask problems more clearly.

To really break things, instead of using reserved RFC1918 addresses behind your NAT box, use a public network range like 66.35.250.0/24. Sure, it will break one major site, but you shouldn't be wasting your time there :-)

Since you already have a BSD running, do you leave it on 24/24? If so, its time to start loading up the real tools like cacti, nagios, and smokeping. It helps if you have an SNMP capable switch on your network, but configuring your own SNMP can be quite a learning experience as well. With graphs showing what is happening on your net and the internet over time, you will start to see the cycles of congestion every evening and maintenance times every sunday at wee hours. The most frustrating problems in networkin

What tools and methods are the best practice when trying to use Linux and Open Source to analyze and fix a network?

• Nagios
• Snort
• ethereal
• dsniff (not updated in ages)
• ncat
• nmap
• nessus v 2 (or one of the forks of version 3)
• SARA

Use nagios. It's a good networ mapping tool. http://www.nagios.org/

Look at postfix + mysql
http://www.sweeney.demon.co.uk/pfix_imap_virtual.h tml

Mostly, U will need a cluster for everything.
If you are seeking for a all around opensource, start with this link, later, to use LVS, the tool for makeking load balancing clusters go here:
http://www.linuxvirtualserver.org/

And if you really are looking for a opensource cheap software costs (not very cheap tco) also you can build your OWN san with ata over ethernet:
http://sourceforge.net/projects/aoetools/

And for webmail a usefull but also ligth interface:
http://www.squirrelmail.org/

With all the licence cost savings, you can Invest a lot of time, and have a fair amount of flexibility.

Sendmail inc, has high availability solutions:
www.sendmail.com

Also, you can spend a lot of money and buy a very bit IBM machine with lots, and lots of lotus notes licenses, with that kind of money spent, you can put IBM at your knees if a lawer makes a good contract..

Also, to complete the solution you can setup nagios and mrtg for monitoring.
http://www.nagios.org/
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

I think, to setup the hole thing, U will need, like about 50 good servers, (maybe u can try IBM openpower with virtualization, it IS a risc CPU), and like.. humm.. a month of technical tests...

The mysql backend will give you centralized administration, LVS will provide scalability and good servers will give you uptime...

And if EVEN you like, you can make a Linux Routers using sangoma hardware:
http://wwww.sangoma.com/

Everything can be done with Linux by now... The cuestion is how much responsability do you want to have regarding the stability, and overall functionality of the solution.

IBM, HP, RedHat, SuSe, and ANY Linux Consulting firm would be interested in having you as a success history.

Good Luck, and May the Source be With You

Software:
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/
http://www.nagios.org/

Hardware:
Two high resolution projectors and screens to project them on.

You need to develop a strategy that includes network monitoring, penetration testing, and watching the security lists or sites.

For a network monitor, Nagios (http://www.nagios.org/ is popular, but I like Mon (http://www.kernel.org/pub/software/admin/mon), because of its simplicity.

Once you start watching, you realize that you get attacked so much that you quickly scale back the sensitivity. In the end, the monitor becomes a forensics tool, or a way of verifying that it's not an attack that's causing whatever problem you're having.

Acquire skill with Nmap (http://insecure.org./ Learn how to know what the bad guys know about you. Google yourself and your network, to see what dangerous information is out there about you and your network. Try to render that information obsolete.

Read up at http://sans.org/ or maybe a CERT advisory list.

You can spend minimal time on any of this or all of your waking hours.

But it's great getting paged that a server is offline before anyone else (like the client) knows about it.

Check the front page of Nagios for network based environmental sensors that plug straight into your network.

We just use Nagios along with a temperature sensor and a custom-written Nagios plugin. It cost us about $200 in parts and about an hour's worth of labor to write the plugin.

Of course, there is always the esensor, which happens to go on sale tomorrow.

Build yourself a couple of Thermal Cubes ($3.50 - $5.00 each), and connect them to a box running Nagios (which you should be running anyway). Hey presto, temperature monitoring. And you get to play with soldering irons at work, which can be great fun if you act secretive and mutter about overclocking.

I did this in our server room after the A/C's kept "randomly" shutting off. We use nagios and the Esensor. It's kinda pricey but it's way worth it. There are scripts that will make it integrate directly with Nagios so there's a TON of ways it can alert you via email/SMS/etc...

--Ajay

http://www.nagios.org/products/environmental/esens ors/em01b.php

Doesn't get any easier.

>A completely adaptive system that detects
>everything is probably out of your reach

http://www.nagios.org/

you've never done this, have you ?

So you're concerned about letting things go on auto-pilot and missing an alarm . . .

Why not slap a modem into the head nagios box and have it page you when things fail. Don't worry about having to wear a beeper - you can page most cellphones via your carrier's SMS gateway (still dial-capable).

Too much hassle? How about AIM? YIM? Jabber? Email?

If you're TRULY the teeth jittering, chain smoking NOC type, buy some x10 crap and build a physical network alarm interface like I did :). Either way, nagios has ASSLOADS of event notification options.

So you're concerned about letting things go on auto-pilot and missing an alarm . . .

Why not slap a modem into the head nagios box and have it page you when things fail. Don't worry about having to wear a beeper - you can page most cellphones via your carrier's SMS gateway (still dial-capable).

Too much hassle? How about AIM? YIM? Jabber? Email?

If you're TRULY the teeth jittering, chain smoking NOC type, buy some x10 crap and build a physical network alarm interface like I did :). Either way, nagios has ASSLOADS of event notification options.

So you're concerned about letting things go on auto-pilot and missing an alarm . . .

Why not slap a modem into the head nagios box and have it page you when things fail. Don't worry about having to wear a beeper - you can page most cellphones via your carrier's SMS gateway (still dial-capable).

Too much hassle? How about AIM? YIM? Jabber? Email?

If you're TRULY the teeth jittering, chain smoking NOC type, buy some x10 crap and build a physical network alarm interface like I did :). Either way, nagios has ASSLOADS of event notification options.

So you're concerned about letting things go on auto-pilot and missing an alarm . . .

Why not slap a modem into the head nagios box and have it page you when things fail. Don't worry about having to wear a beeper - you can page most cellphones via your carrier's SMS gateway (still dial-capable).

Too much hassle? How about AIM? YIM? Jabber? Email?

If you're TRULY the teeth jittering, chain smoking NOC type, buy some x10 crap and build a physical network alarm interface like I did :). Either way, nagios has ASSLOADS of event notification options.

So you're concerned about letting things go on auto-pilot and missing an alarm . . .

Why not slap a modem into the head nagios box and have it page you when things fail. Don't worry about having to wear a beeper - you can page most cellphones via your carrier's SMS gateway (still dial-capable).

Too much hassle? How about AIM? YIM? Jabber? Email?

If you're TRULY the teeth jittering, chain smoking NOC type, buy some x10 crap and build a physical network alarm interface like I did :). Either way, nagios has ASSLOADS of event notification options.

So you're concerned about letting things go on auto-pilot and missing an alarm . . .

Why not slap a modem into the head nagios box and have it page you when things fail. Don't worry about having to wear a beeper - you can page most cellphones via your carrier's SMS gateway (still dial-capable).

Too much hassle? How about AIM? YIM? Jabber? Email?

If you're TRULY the teeth jittering, chain smoking NOC type, buy some x10 crap and build a physical network alarm interface like I did :). Either way, nagios has ASSLOADS of event notification options.

So you're concerned about letting things go on auto-pilot and missing an alarm . . .

Why not slap a modem into the head nagios box and have it page you when things fail. Don't worry about having to wear a beeper - you can page most cellphones via your carrier's SMS gateway (still dial-capable).

Too much hassle? How about AIM? YIM? Jabber? Email?

If you're TRULY the teeth jittering, chain smoking NOC type, buy some x10 crap and build a physical network alarm interface like I did :). Either way, nagios has ASSLOADS of event notification options.

I do not understand why the big corporation uses MRTG which does nothing apart of bunch of graphs which can hardly be used for pro-active monitoring.

Come on, BBC! Use Zabbix or Nagios to get real monitoring software!