Slashdot Mirror

← Back to Stories (view on slashdot.org)

Build Your Own NOC

Posted by timothy on from the role-playing-game dept.

Geminus writes "Ever wanted to build a cheap NOC but had difficulty explaining tech stuff to bean counting managers? Here's the basics on building one for under two grand. Makes for a pretty good dog-n-pony show, and proves useful too! Damn, I want to be an Armchair Network Operations Center General."

20 of 267 comments (clear)

  1. Re:NOC???? by bluekanoodle · · Score: 3, Informative

    Network Operations Center

  2. The article. by Anonymous Coward · · Score: 5, Informative

    A Website Dedicated to Computer Professional...and some not so Professional
    How to build a cheap Security NOC
    William M. Nett

    The Network Operations Center or NOC is the cornerstone of all computer networks. I've worked at AT&T's NOC, been around Government NOCs and seen small scaled versions. Most look like something out of the movie, "WarGames" and surprisingly, whether you're a Linux or Windows fan you can build one for cheap and be your own armchair NOC General.

    What does a NOC do? It monitors connections, network activity, spots problems, conducts threat assessments, and calculates scalability requirements with customer demands... it also puts on a pretty good "dog-n-pony" show for potential investors and customers.

    What's required? Again, surprisingly not too much! Depending on the size of your company, this can be achieved with as little as an 8' X 10' room, and 4 computers. Trust me, you more than likely do not need a $15,000 Cisco PIX or Nokia firewall (which runs Linux derivatives).

    You'll need at least three big monitors (the bigger the better), two smaller ones (17"), a KVM switch, and OOB dialup. Here's the loadout:

    1. Firewall: Get a copy of IPCOP... its Smoothwall on steroids and very easy to configure. It has a built in Intrusion Detection System, Proxy logging, and you can use Coyote Linux as a failover if you think you are being attacked. This package uses a web interface, so there's no need for a
    monitor, keyboard, or mouse. These software elements are also free. Minimum requirements are a 333Mhz system with 64MB of RAM and a 2.1GB Hard-Drive.

    2. Network Monitoring: Download a copy of F.I.R.E. and run it on a barebones 600 Mhz system. Configure and open Etherape on a monitor for an Air Traffic Controller's view of your network activity... bean counters love this. If you're being attacked or infected, you will quickly see where it's coming from. You should also use a receive only sniffer cable on this box to protect integrity... a receive only box has a zero chance of infection as it's physically impossible.

    3. Got wireless? Download and run Airsnare with a semi hyped up Wireless antenna, and you'll quickly spot any war-drivers or unauthorized network connections. If you have an old directional motorized TV antenna system lying around you can go uber-elite and connect a cheap phased array panel antenna or cantenna to locate your wireless intruder with NetStumbler. This can all equally run on a 333Mhz Windows based system.

    4. Workstation: Here's the beef... a 1.2Ghz, 512MB, 20GB computer, with dual head Matrox card, with dual booting OS (Linux & Windows), Preferably Linux with a Windows VMWARE guest OS. Trust me, once you go Dual-Head, you won't go back. The best Linux Dual-Head OS is SuSE 8.3. Tie this into the KVM to modify any of your servers.

    5. Red Phone... afterall, who doesn't want one? You're batman right?

    Your first Monitor should be watching CNN or the weather channel (depending on location), the second should be running Etherape, and the third should be running Airsnare or Windows Services Monitors (CPU, Netload, etc.) All of the software here except Windows is free, and easy to configure... except maybe your General's chair. In the end, aside from having your own
    WOPR, you have a NOC for just under $2,000.00

    William M. Nett

    Links:
    http://www.ipcop.org
    http://www.coyotel inux.com
    http://prdownloads.sourceforge.net/biatc hux/fire-0 .4a.iso?download
    http://etherape.sourceforge.net/ images/v0.5.5.png An etherape screenshot
    http://www.netstumbler.com
    http://hom e.comcast.net/~jay.deboer/airsnare/downl oad.htm

    Search Now:

    E-mail your comments to dougchick@thenetworkadministrator.com
    All rights reserved TheNetworkAdministrator.com

    Disclaimer: The Opinions shared on TheNetworkAdministra

    1. Re:The article. by Silvers · · Score: 5, Informative

      "You should also use a receive only sniffer cable on this box to protect integrity... a receive only box has a zero chance of infection as it's physically impossible."

      Am I the only one that balks at this statement? Maybe I am missing something but it does seem that even with rx-only you could be infected, just not by any connection oriented protocols? (Or maybe even still if some really strange bug crops up).

      Or am I just missing something...

    2. Re:The article. by AKnightCowboy · · Score: 3, Informative
      The idea is that whatever goes on out there will be logged/dumped, but never executed/analyzed, on this machine.

      Wrong. Go look up the RPC pre-processing and stream4 vulnerabilities in Snort. I will also add that a very common way to configure a network sensor is to have one administration interface on an internal trusted network and the other passive listen-only interface without the IP on the dirty network. With the snort vulnerabilities your machine could become infected and used to reach your internal network. Unless you've got a very very simple network that only needs one sensor with a monitor and keyboard attached you'll need some admin interface on it to reach it to dump logs and change rulesets.

    3. Re:The article. by IGnatius+T+Foobar · · Score: 4, Informative

      Kind of like making
      bash# ln -s /dev/lp /var/log/messages

      If I may nitpick ... you could also achieve the same effect, without the symbolic link, by simply pointing to /dev/lp in your /etc/syslog.conf file. That way it would write to both locations without them having to be linked together. Moreover, you could define different logging levels (for example, send everything to the text file but only critical logs to the printer).

      syslog is a wonderfully flexible facility.

      --
      Tired of FB/Google censorship? Visit UNCENSORED!
  3. NOC by chunkwhite86 · · Score: 5, Informative

    For those who are wondering...

    A NOC is a Network Operations Center. It is one room, typically filled with many displays of real-time data which display the health/status of a network.

    --
    I'd rather be a conservative nutjob than a liberal with no nuts and no job.
  4. Re:WOPR by Anonymous Coward · · Score: 5, Informative

    Geezus... Everyone who's a true nerd knows that the WOPR is the War Operations box that was in the movie WarGames (Matthew Broderick)....

    You know, the movie that made it absolutely *impossible* to get a dial-up into any BBS in the country for about 3 weeks after the movie came out...

    Then again, I've been hacking around since about '76, so maybe I'm just showing my age...

  5. SuSe Linux 8.3 by Anonymous Coward · · Score: 5, Informative

    >

    1. SuSe 8.3 does not exist, it's in fact either 8.2 or 9.0.
    2. There is curently no dual head driver from Matrox Parhelia. Olders Matrox's video card has dual head driver, but they don't work anymore with "recent" motherboard since motherboard's voltage is changed from 3.5 to 5 volts. And yes, 1.2 ghz-era computer are affected by this voltage change.
    3. Vmware will be too slow with this configuration do to something really useful. Especially with dual heading.
    4. This article is either a fake or a troll.

    1. Re:SuSe Linux 8.3 by RedK · · Score: 5, Informative

      Actually, I agree this article is skimpy on the meat and is pretty much useless and filled with factual errors. However, i'd like to respond to your post

      2. There is curently no dual head driver from Matrox Parhelia.

      This is of course bullcrock. Matrox does have a driver for the Parhelia based cards which supports, amongst other things, dualhead configurations (and even triple head! Yes, on Linux). The second head is not accelerated however, so it might be a bit on the slow side.

      3. Vmware will be too slow with this configuration do to something really useful. Especially with dual heading.

      Oh please. Dualheads do not noticably affect the speed of the computer it's running on. Plus, i've run Windows installation within VMware on a P2-333 with a Linux host, all running a very good speeds and using only 288 megs of RAM (2x128 + 1x32). At work, we have a workstation that's a P3-1.0ghz and it runs 2 VMware sessions with Windows 2000 Server for tests, on a Linux host busy running most of our NOC tools. This is all nice and dandy and running along smoothly.

      4. This article is either a fake or a troll.

      Actually, it's not fake since it's posted there and I don't believe it's a troll since you can see a basis for something in there. It's just very badly researched and probably as never been tested in real life. This guy needs do to a lot more trials and research before he has a fully functionning NOC capable of monitoring more than the coffee machine.

      --
      "Not to mention all the idiots who use words like boxen."
      Anonymous Coward on Monday August 04, @06:49PM
  6. Mirror by TPS+Report · · Score: 5, Informative

    Mirror Here. I'll mirror the rest of the page, as soon as he recovers from the shock and replaces the charred, smoking remains of the server he once had.

    --
    I was told that I could listen to the radio at a reasonable volume from nine to eleven...
  7. This article sucks by 0x0d0a · · Score: 5, Informative

    There is *not* a heck of a lot of content here.

    Most of the information is more than obvious to anyone interested in running a NOC (incidently, left out of the Slashdot story is that this is a *Security* NOC).

    I've seen random Slashdot posts that would be a lot more useful to someone interested in building a NOC than this thing.

    That being said, my own two cents:

    If you're using SNMP to manage your network, snmpwalk+scripts is good. If you can stomach not using open source software, Intermapper is really nice. Unfortunately, the two big open source competitors don't quite measure up -- Scotty is kind of old and grotty and rather TCL-oriented, and GxSNMP appears to be dead.

    Etherape, as suggested in the article, isn't the greatest choice either...IIRC, it doesn't support satellites, which means it needs to be running on the actual network it's monitoring. Not really acceptable for a NOC tool. Etherape is also, in my experience, rather CPU-hungry. There are a lot of commercial traffic flow visualization tools...not sure what's best, as I haven't played with many.

    All in all, while the article's worthy of a post in a random discussion, it really isn't worthy of a Slashdot story.

    --
    May we never see th
  8. psDooM? by runlvl0 · · Score: 5, Informative

    Or, perhaps someone will come up with the bright idea to let you shoot packets whilst in the 3d game...

    Kind of like psDooM (as seen on Slashdot), but at the network level? I'll betcha it could be done.

    --

    Carthago delenda est!
  9. For those of you wondering about "F.I.R.E" by Tyndareos · · Score: 4, Informative

    This is the website: http://fire.dmzs.com/

  10. Re:Please hook me up with your vendor! by richie2000 · · Score: 5, Informative
    I haven't priced VMWARE in a long time, but if memory serves, that should be near or over the 2K mark by itself.

    You need to refresh your DRAM. VMWare Workstation 4 costs $299 from vmware.com. The rest of the stuff can be had for free, more or less. 17" monitors are $100 a pop new (CRT, that is), the 1.2GHz box can be built new for around $200 (1300 Duron, 256MB RAM, 40GB disk) and the rest of them are dumpster-diving fodder. The only things in his list that actually may cost Real Money (TM) are the big screens, but you can get old 24" Sun monitors on Ebay for a song and maybe a little dance and then you just need to get/make a VGA-Sun adapter to be in business.

    --
    Money for nothing, pix for free
  11. NOC's Have a Purpose by Nazmun · · Score: 3, Informative

    Although, some companies may have NOC's for no good reason... NOC's do have their places. I am a webhost (a small one) and our servers are in datacenters with thousands (in many cases tens of thousands) of other such machines. There are always at least one or two techs around in the wee hours of the night and a NOC is most certainly necessary to monitor all these machines and the network.

    There is NO way a laptop can replace a NOC in such a case. You need a centralized area where everything is monitored. As for remote administration, it's always been pretty decent with Unix (and in our case it's linux mostly) but that just helps the NOC become more useful for us.

    --
    Hmmm... Pie...
  12. Nagios... by helzerr · · Score: 4, Informative

    How is it there is an article about a homebrew N.O.C. that doesn't mention Nagios?

  13. Re:Akamai NOC Tour by mcbridematt · · Score: 3, Informative

    yes, I got that wrong for some reason, but it suprises me how mnay people can't learn to 'patch' a link :(

    Akamai NOC tour

    Wired article about Akamai's 'gods-eye' view of the Slammer virus

  14. Re:And furthermore... by Jason+Scott · · Score: 3, Informative

    Everyone's so Anonymous Coward these days! Shame.

    Quick explanation for the shot. It's a stitched together panorama shot, using software. It didn't come out like I'd like it to, so I will obviously have to retake it at some point. There are two lisas; there's an artifact of the one lisa looking like two. If you look around it, the shelf blends as well.

    Other machines in there that might not be obvious: Vic-20s, C-64s, Apple IIc, Apple IIs (5), Macintosh SE (painted cow colors), Sun Ultra 2, Amiga 500s (3), Commodore PET (my first computer, given to me by dad when I was 9), Atari 800, and a metric ton of PC Compatibles. Oh, and a Microwave.

    As for the tree, my home is about 110 years old, and they used actual tree trunks for supporting beams. Multiple inspectors say they're as good or better than other choices for supports, so they stay. I like them, and they're great conversation pieces.

  15. Vulnerability of receive-only by puhuri · · Score: 5, Informative

    There are some vulnerabilities for passive monitoring also. A search of CERT database for snort or tcpdump gives you a following list:

    • Heap overflow in Snort "stream4" preprocessor
    • Buffer overflow in Snort RPC preprocessor
    • tcpdump enters infinite loop when parsing crafted ISAKMP packets
    • tcpdump vulnerable to buffer overflow via improper decoding of AFS RPC (Rx) packets
    • tcpdump vulnerable to buffer overflow via parsing of AFS ACL packets
    • tcpdump, ethereal vulnerable to DoS

    A listen-only box gives you some protection but it cannot be the only protection for your traffic recorder.

  16. Re:My NOC is 66 square feet,3TB of traffic by Skal+Tura · · Score: 3, Informative

    i agree with that!
    It is very simple mathematics, and a bit has to be knewn before actually trying first time(that little is that you know you can try it out:D)
    Anyways, when everyone else offers server hotel services for 150e/month minimum, this is being 1:10 shared 10mbps half-duplex con, sharing based on 'best-effort'(no qossing even oO;), with a max of 5ips... and at MAX nameserver usage for _1_ domain.

    Well, with simple arrangements, i managed to cut the price to half, plus increase the bw per user (1:7 sharing), plus putting on top: hardware firewalling, nameservers and e-mail servers.
    Didn't even make hard, and i have still several hundred percentages profit per 10mbps half-duplex link.
    and still, datacenter is in very expensive area, in the core of our capital, and not even on core but the most expensive area anywhere in our country! (well, atleast as far as i know).

    --
    Pulsed Media Seedboxes