Slashdot Mirror
Build Your Own NOC
Geminus writes "Ever wanted to build a cheap NOC but had difficulty explaining tech stuff to bean counting managers? Here's the basics on building one for under two grand. Makes for a pretty good dog-n-pony show, and proves useful too! Damn, I want to be an Armchair Network Operations Center General."
Network Operations Center
A Website Dedicated to Computer Professional...and some not so Professional
.4a.iso?download
How to build a cheap Security NOC
William M. Nett
The Network Operations Center or NOC is the cornerstone of all computer networks. I've worked at AT&T's NOC, been around Government NOCs and seen small scaled versions. Most look like something out of the movie, "WarGames" and surprisingly, whether you're a Linux or Windows fan you can build one for cheap and be your own armchair NOC General.
What does a NOC do? It monitors connections, network activity, spots problems, conducts threat assessments, and calculates scalability requirements with customer demands... it also puts on a pretty good "dog-n-pony" show for potential investors and customers.
What's required? Again, surprisingly not too much! Depending on the size of your company, this can be achieved with as little as an 8' X 10' room, and 4 computers. Trust me, you more than likely do not need a $15,000 Cisco PIX or Nokia firewall (which runs Linux derivatives).
You'll need at least three big monitors (the bigger the better), two smaller ones (17"), a KVM switch, and OOB dialup. Here's the loadout:
1. Firewall: Get a copy of IPCOP... its Smoothwall on steroids and very easy to configure. It has a built in Intrusion Detection System, Proxy logging, and you can use Coyote Linux as a failover if you think you are being attacked. This package uses a web interface, so there's no need for a
monitor, keyboard, or mouse. These software elements are also free. Minimum requirements are a 333Mhz system with 64MB of RAM and a 2.1GB Hard-Drive.
2. Network Monitoring: Download a copy of F.I.R.E. and run it on a barebones 600 Mhz system. Configure and open Etherape on a monitor for an Air Traffic Controller's view of your network activity... bean counters love this. If you're being attacked or infected, you will quickly see where it's coming from. You should also use a receive only sniffer cable on this box to protect integrity... a receive only box has a zero chance of infection as it's physically impossible.
3. Got wireless? Download and run Airsnare with a semi hyped up Wireless antenna, and you'll quickly spot any war-drivers or unauthorized network connections. If you have an old directional motorized TV antenna system lying around you can go uber-elite and connect a cheap phased array panel antenna or cantenna to locate your wireless intruder with NetStumbler. This can all equally run on a 333Mhz Windows based system.
4. Workstation: Here's the beef... a 1.2Ghz, 512MB, 20GB computer, with dual head Matrox card, with dual booting OS (Linux & Windows), Preferably Linux with a Windows VMWARE guest OS. Trust me, once you go Dual-Head, you won't go back. The best Linux Dual-Head OS is SuSE 8.3. Tie this into the KVM to modify any of your servers.
5. Red Phone... afterall, who doesn't want one? You're batman right?
Your first Monitor should be watching CNN or the weather channel (depending on location), the second should be running Etherape, and the third should be running Airsnare or Windows Services Monitors (CPU, Netload, etc.) All of the software here except Windows is free, and easy to configure... except maybe your General's chair. In the end, aside from having your own
WOPR, you have a NOC for just under $2,000.00
William M. Nett
Links:
http://www.ipcop.org
http://www.coyotel inux.com
http://prdownloads.sourceforge.net/biatc hux/fire-0
http://etherape.sourceforge.net/ images/v0.5.5.png An etherape screenshot
http://www.netstumbler.com
http://hom e.comcast.net/~jay.deboer/airsnare/downl oad.htm
Search Now:
E-mail your comments to dougchick@thenetworkadministrator.com
All rights reserved TheNetworkAdministrator.com
Disclaimer: The Opinions shared on TheNetworkAdministra
For those who are wondering...
A NOC is a Network Operations Center. It is one room, typically filled with many displays of real-time data which display the health/status of a network.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
War Operation Programmed Response
from the movie War Games
Geezus... Everyone who's a true nerd knows that the WOPR is the War Operations box that was in the movie WarGames (Matthew Broderick)....
You know, the movie that made it absolutely *impossible* to get a dial-up into any BBS in the country for about 3 weeks after the movie came out...
Then again, I've been hacking around since about '76, so maybe I'm just showing my age...
Considering the earlier reference in the article to WarGames, I think it's safe to say they are using WOPR to mean "War Operations Plan and Response".
>
1. SuSe 8.3 does not exist, it's in fact either 8.2 or 9.0.
2. There is curently no dual head driver from Matrox Parhelia. Olders Matrox's video card has dual head driver, but they don't work anymore with "recent" motherboard since motherboard's voltage is changed from 3.5 to 5 volts. And yes, 1.2 ghz-era computer are affected by this voltage change.
3. Vmware will be too slow with this configuration do to something really useful. Especially with dual heading.
4. This article is either a fake or a troll.
Mirror Here. I'll mirror the rest of the page, as soon as he recovers from the shock and replaces the charred, smoking remains of the server he once had.
I was told that I could listen to the radio at a reasonable volume from nine to eleven...
There is *not* a heck of a lot of content here.
Most of the information is more than obvious to anyone interested in running a NOC (incidently, left out of the Slashdot story is that this is a *Security* NOC).
I've seen random Slashdot posts that would be a lot more useful to someone interested in building a NOC than this thing.
That being said, my own two cents:
If you're using SNMP to manage your network, snmpwalk+scripts is good. If you can stomach not using open source software, Intermapper is really nice. Unfortunately, the two big open source competitors don't quite measure up -- Scotty is kind of old and grotty and rather TCL-oriented, and GxSNMP appears to be dead.
Etherape, as suggested in the article, isn't the greatest choice either...IIRC, it doesn't support satellites, which means it needs to be running on the actual network it's monitoring. Not really acceptable for a NOC tool. Etherape is also, in my experience, rather CPU-hungry. There are a lot of commercial traffic flow visualization tools...not sure what's best, as I haven't played with many.
All in all, while the article's worthy of a post in a random discussion, it really isn't worthy of a Slashdot story.
May we never see th
Or, perhaps someone will come up with the bright idea to let you shoot packets whilst in the 3d game...
Kind of like psDooM (as seen on Slashdot), but at the network level? I'll betcha it could be done.
Carthago delenda est!
This is the website: http://fire.dmzs.com/
You need to refresh your DRAM. VMWare Workstation 4 costs $299 from vmware.com. The rest of the stuff can be had for free, more or less. 17" monitors are $100 a pop new (CRT, that is), the 1.2GHz box can be built new for around $200 (1300 Duron, 256MB RAM, 40GB disk) and the rest of them are dumpster-diving fodder. The only things in his list that actually may cost Real Money (TM) are the big screens, but you can get old 24" Sun monitors on Ebay for a song and maybe a little dance and then you just need to get/make a VGA-Sun adapter to be in business.
Money for nothing, pix for free
Although, some companies may have NOC's for no good reason... NOC's do have their places. I am a webhost (a small one) and our servers are in datacenters with thousands (in many cases tens of thousands) of other such machines. There are always at least one or two techs around in the wee hours of the night and a NOC is most certainly necessary to monitor all these machines and the network.
There is NO way a laptop can replace a NOC in such a case. You need a centralized area where everything is monitored. As for remote administration, it's always been pretty decent with Unix (and in our case it's linux mostly) but that just helps the NOC become more useful for us.
Hmmm... Pie...
Where "dumpster" here refers to the office PC boneyard.
How is it there is an article about a homebrew N.O.C. that doesn't mention Nagios?
Maybe not, but that's what I pay (in parts, not counting time of course) in Sweden. The Duron is $30, 40GB Seagate Cuda $50, box (Q-Tec smiley) $20, RAM $30, an Asus MX all-in-one mobo for $40 and with floppy, CD, rat, keyboard and cables for another $30 you're home. Or, if you don't want to build one yourself, go to Walmart - they have several sub-$200 models, with or withour Lindows, hell they even have one for a few dimes under $160 (no harddrive in that puppy, but I bet it runs Knoppix just fine).
Riiiiight.
Right. Seen any 333MHz 1.2GB PCs on dell.com lately? No? That's because there aren't any. They are obsolete. You'll find them in dumpsters, yard sales or on Ebay for free or a reasonable facsimily of free.
Money for nothing, pix for free
yes, I got that wrong for some reason, but it suprises me how mnay people can't learn to 'patch' a link :(
Akamai NOC tour
Wired article about Akamai's 'gods-eye' view of the Slammer virus
Everyone's so Anonymous Coward these days! Shame.
Quick explanation for the shot. It's a stitched together panorama shot, using software. It didn't come out like I'd like it to, so I will obviously have to retake it at some point. There are two lisas; there's an artifact of the one lisa looking like two. If you look around it, the shelf blends as well.
Other machines in there that might not be obvious: Vic-20s, C-64s, Apple IIc, Apple IIs (5), Macintosh SE (painted cow colors), Sun Ultra 2, Amiga 500s (3), Commodore PET (my first computer, given to me by dad when I was 9), Atari 800, and a metric ton of PC Compatibles. Oh, and a Microwave.
As for the tree, my home is about 110 years old, and they used actual tree trunks for supporting beams. Multiple inspectors say they're as good or better than other choices for supports, so they stay. I like them, and they're great conversation pieces.
There are some vulnerabilities for passive monitoring also. A search of CERT database for snort or tcpdump gives you a following list:
A listen-only box gives you some protection but it cannot be the only protection for your traffic recorder.
i agree with that!
It is very simple mathematics, and a bit has to be knewn before actually trying first time(that little is that you know you can try it out:D)
Anyways, when everyone else offers server hotel services for 150e/month minimum, this is being 1:10 shared 10mbps half-duplex con, sharing based on 'best-effort'(no qossing even oO;), with a max of 5ips... and at MAX nameserver usage for _1_ domain.
Well, with simple arrangements, i managed to cut the price to half, plus increase the bw per user (1:7 sharing), plus putting on top: hardware firewalling, nameservers and e-mail servers.
Didn't even make hard, and i have still several hundred percentages profit per 10mbps half-duplex link.
and still, datacenter is in very expensive area, in the core of our capital, and not even on core but the most expensive area anywhere in our country! (well, atleast as far as i know).
Pulsed Media Seedboxes
Nitrous is a stimulant when applied to the air intakes of internal combustion engines.
btm
That was the turning point of my life--I went from negative zero to positive zero.
I can state without reservation that the open source tools you mention (MRTG/RRD, OpenNMS) are mediocre to the point of unusability.
Can't say anything about OpenNMS, but I'm surprised that more people haven't heard of Cricket. Scales well, and the configuration isn't too bad once you get past the initial learning curve. Uses RRDs for sample storage. I'm in the process of phasing out MRTG in favor of Cricket at the ISP I run.
A host is a host from coast to coast...
Unless it's down, or slow, or fails to POST!
People actually pay you money to host their websites in that basement? Please let me know what form of hypnosis you used on your costumers. *sarcasm off* Seriously beyond the basement, how can you possibly compete price wise with any half-decent provider? Are these friends of yours or something? Just no way that you could afford a T-1 and still make money by hosting 3 customers. Unless they are a bit "sheltered" and don't realize what a few hundred dollars gets them on the open market.
Even though this thread is well on its way to death, I wanted to respond to this (currently 0 rated) comment, since I think there's something worth discussing in it. Likely a version of this will go into a "my basement data center" page I should really build.
There are several considerations you're not aware of or missing. There is no shame in this, since all you've had to go on is a paragraph and a picture.
First of all, I am an additional customer along with my other 3-4 customers. I use an awful lot of bandwidth (imagine how much goes out the door on artscene.textfiles.com alone) and so I pay a good portion of the monthly costs, more than anyone else in fact. What opening my basement to others does is turn what would be a crushing monthly recurring charge into a merely indulgent one. Since the vast majority of my work and public face comes through these machines and the network, I think it's a worthwhile expenditure.
I will take this moment to say that my T-1 comes from Speakeasy, and is an amazing bargain at about $520 a month. I've had people say "how do you afford the thousands for one" and the answer is I don't. They give me incredible service and top-level support. I've had a total of 30 minutes of outage in 11 months. They're good people and you should consider them instead of cable companies, who are, in fact, distilled evil.
I might have lost you (or others) when I displaced the notion of a profit motive behind the setup of my home. I don't really call these folks "customers", I call them "roommates", with a lot of the needed give-and-take that comes from that. When they need a reboot, they call me on my cell phone and I go do it. I've done part installs and troubleshooting, all part of the deal, just like roommates help each other out. When they need an extra IP or two, I get one to them. If they ask for a reverse lookup change, I go do it. And so on. I answer questions and make myself available. Also, we do things month to month, no contract. If one person leaves for whatever reason, I can swing the cost until I find a new person.
So I don't think it's hypnosis or delusion or sheltering; you will find most places give you "virtual hosting" or charge a lot for rackspace or will not give you the access to a dedicated person that I give, and can really only give if it's a small number of people. Will it ever be a full-on Colocation Facilty? No. Do I want it to be? No. Am I in competition with these places? I don't think so.
The 1990's imbued otherwise-rational geeks with this inherent need to justify everything as a business case. It really sours everything, if you ask me. This is more a little community than anything else. Don't worry, I'm not putting any colos out to pasture.