Build Your Own NOC

Geminus writes "Ever wanted to build a cheap NOC but had difficulty explaining tech stuff to bean counting managers? Here's the basics on building one for under two grand. Makes for a pretty good dog-n-pony show, and proves useful too! Damn, I want to be an Armchair Network Operations Center General."

Speed kills computers.

NOC=Nitrous Oxide Computing.

Just add...

[neiffer]

Just add an LCD projector and I can play a 3d shooter on the big screen while keeping track of network packets.

Re:hmmm...4 comments and it's slashdotted?

[germanbird]

Obviously the Armchair Network Operations Center Generals did not prepare a contigency plan for the slashdot effect...

The article.

A Website Dedicated to Computer Professional...and some not so Professional
How to build a cheap Security NOC
William M. Nett

The Network Operations Center or NOC is the cornerstone of all computer networks. I've worked at AT&T's NOC, been around Government NOCs and seen small scaled versions. Most look like something out of the movie, "WarGames" and surprisingly, whether you're a Linux or Windows fan you can build one for cheap and be your own armchair NOC General.

What does a NOC do? It monitors connections, network activity, spots problems, conducts threat assessments, and calculates scalability requirements with customer demands... it also puts on a pretty good "dog-n-pony" show for potential investors and customers.

What's required? Again, surprisingly not too much! Depending on the size of your company, this can be achieved with as little as an 8' X 10' room, and 4 computers. Trust me, you more than likely do not need a $15,000 Cisco PIX or Nokia firewall (which runs Linux derivatives).

You'll need at least three big monitors (the bigger the better), two smaller ones (17"), a KVM switch, and OOB dialup. Here's the loadout:

1. Firewall: Get a copy of IPCOP... its Smoothwall on steroids and very easy to configure. It has a built in Intrusion Detection System, Proxy logging, and you can use Coyote Linux as a failover if you think you are being attacked. This package uses a web interface, so there's no need for a
monitor, keyboard, or mouse. These software elements are also free. Minimum requirements are a 333Mhz system with 64MB of RAM and a 2.1GB Hard-Drive.

2. Network Monitoring: Download a copy of F.I.R.E. and run it on a barebones 600 Mhz system. Configure and open Etherape on a monitor for an Air Traffic Controller's view of your network activity... bean counters love this. If you're being attacked or infected, you will quickly see where it's coming from. You should also use a receive only sniffer cable on this box to protect integrity... a receive only box has a zero chance of infection as it's physically impossible.

3. Got wireless? Download and run Airsnare with a semi hyped up Wireless antenna, and you'll quickly spot any war-drivers or unauthorized network connections. If you have an old directional motorized TV antenna system lying around you can go uber-elite and connect a cheap phased array panel antenna or cantenna to locate your wireless intruder with NetStumbler. This can all equally run on a 333Mhz Windows based system.

4. Workstation: Here's the beef... a 1.2Ghz, 512MB, 20GB computer, with dual head Matrox card, with dual booting OS (Linux & Windows), Preferably Linux with a Windows VMWARE guest OS. Trust me, once you go Dual-Head, you won't go back. The best Linux Dual-Head OS is SuSE 8.3. Tie this into the KVM to modify any of your servers.

5. Red Phone... afterall, who doesn't want one? You're batman right?

Your first Monitor should be watching CNN or the weather channel (depending on location), the second should be running Etherape, and the third should be running Airsnare or Windows Services Monitors (CPU, Netload, etc.) All of the software here except Windows is free, and easy to configure... except maybe your General's chair. In the end, aside from having your own
WOPR, you have a NOC for just under $2,000.00

William M. Nett

Links:
http://www.ipcop.org
http://www.coyotel inux.com
http://prdownloads.sourceforge.net/biatc hux/fire-0 .4a.iso?download
http://etherape.sourceforge.net/ images/v0.5.5.png An etherape screenshot
http://www.netstumbler.com
http://hom e.comcast.net/~jay.deboer/airsnare/downl oad.htm

Search Now:

E-mail your comments to dougchick@thenetworkadministrator.com
All rights reserved TheNetworkAdministrator.com

Disclaimer: The Opinions shared on TheNetworkAdministra

Re:The article.

[Silvers]

"You should also use a receive only sniffer cable on this box to protect integrity... a receive only box has a zero chance of infection as it's physically impossible."

Am I the only one that balks at this statement? Maybe I am missing something but it does seem that even with rx-only you could be infected, just not by any connection oriented protocols? (Or maybe even still if some really strange bug crops up).

Or am I just missing something...

Re:The article.

[KrispyKringle]

Probably right. I've wondered about this before, when seeing these statements. But at least you don't have to worry about leaking information or being used as an intermediate host in an attack. Worst case is essentially a DOS. On the other hand, were this a logging host, you could concievably infect it as you mentioned, download to it a simple program (you'd have to hope you download it right, since there won't be any way to do TCP style checksumming, I suppose) and have it grep through the logs to remove entries with your IP address or whatever, all automatically. No? But that'd be a bitch of an exploit, if you could pull it all off all one way.

Re:The article.

[boaworm]

Another way of doing that is to connect the machines with a Hub instead of a Switch, and have one machine configured without an IP, only raw logging of network traffic.

The idea is that whatever goes on out there will be logged/dumped, but never executed/analyzed, on this machine. And since it has no IP, it does not show and cannot be addressed. So if you have an intrusion, this machine is uncontactable, but still will hold all network traffic for you to analyze later.

Kind of like making
bash# ln -s /dev/lp /var/log/messages

Pretty hard to clear up the trace now, huh ? :)

NOC

[chunkwhite86]

For those who are wondering...

A NOC is a Network Operations Center. It is one room, typically filled with many displays of real-time data which display the health/status of a network.

The scary thing is....

[beeudoublez]

what if your boss/manager saw this and decided this is all you needed for your budget?
Hard to justify higher costs when your proof of concept is some webpage discovered by your boss, we've all been there.

Re:WOPR

Geezus... Everyone who's a true nerd knows that the WOPR is the War Operations box that was in the movie WarGames (Matthew Broderick)....

You know, the movie that made it absolutely *impossible* to get a dial-up into any BBS in the country for about 3 weeks after the movie came out...

Then again, I've been hacking around since about '76, so maybe I'm just showing my age...

Re:hmmm...4 comments and it's slashdotted?

[lithiumcloud]

it's supposed to be a really cheap noc. go figure.

SuSe Linux 8.3

>

1. SuSe 8.3 does not exist, it's in fact either 8.2 or 9.0.
2. There is curently no dual head driver from Matrox Parhelia. Olders Matrox's video card has dual head driver, but they don't work anymore with "recent" motherboard since motherboard's voltage is changed from 3.5 to 5 volts. And yes, 1.2 ghz-era computer are affected by this voltage change.
3. Vmware will be too slow with this configuration do to something really useful. Especially with dual heading.
4. This article is either a fake or a troll.

Re:SuSe Linux 8.3

[RedK]

Actually, I agree this article is skimpy on the meat and is pretty much useless and filled with factual errors. However, i'd like to respond to your post

2. There is curently no dual head driver from Matrox Parhelia.

This is of course bullcrock. Matrox does have a driver for the Parhelia based cards which supports, amongst other things, dualhead configurations (and even triple head! Yes, on Linux). The second head is not accelerated however, so it might be a bit on the slow side.

3. Vmware will be too slow with this configuration do to something really useful. Especially with dual heading.

Oh please. Dualheads do not noticably affect the speed of the computer it's running on. Plus, i've run Windows installation within VMware on a P2-333 with a Linux host, all running a very good speeds and using only 288 megs of RAM (2x128 + 1x32). At work, we have a workstation that's a P3-1.0ghz and it runs 2 VMware sessions with Windows 2000 Server for tests, on a Linux host busy running most of our NOC tools. This is all nice and dandy and running along smoothly.

4. This article is either a fake or a troll.

Actually, it's not fake since it's posted there and I don't believe it's a troll since you can see a basis for something in there. It's just very badly researched and probably as never been tested in real life. This guy needs do to a lot more trials and research before he has a fully functionning NOC capable of monitoring more than the coffee machine.

For a real opensource NOC

[losttoy]

You need:
1. A good network management system (Open-NMS)
2. A good systems monitoring system (MRTG+RRD Tool)
3. A good helpdesk software to follow trouble tickets.

Re:For a real opensource NOC

Unfortunately, as someone who has had to support real NOCs for real networks on a tight budget, I can state without reservation that the open source tools you mention (MRTG/RRD, OpenNMS) are mediocre to the point of unusability.

Some people might find this puzzling, but the best NOC systems I've used on tight budgets were homegrown applications, usually after trying out and discovering the deficiencies of the open source tools. It isn't that hard to write a good NMS, but once someone rolls their own good one in-house, it rarely gets released into the wild. For that matter, many of the commercial packages are steaming piles, so if you have a talented programmer or two on staff, you can add value to your company by just writing your own NMS and not waste time with mediocre packages.

This is one of those things that SOMEONE could do well in the open source domain, but I haven't seen it. When someone hacks together the foundation of a really slick NMS at some company that needs it, it inevitably becomes a competitive asset and therefore cloistered in the bowels of engineering. Having a killer NMS is a significant competitive advantage, and the field is populated with enough mediocre solutions right now that there is significant financial pressure to keep NMS code bases proprietary.

Re:Just one minor change...

[jkitchel]

No CNN please.... if you have any sense of self-esteem, that is.

Ok, fine. Make that Fox News then.
*runs for cover*

My NOC is 66 square feet,3TB of traffic

Bashed out a window so a fan can circulate air, installed 4 of the cheap open frame racks, use a OpenBSD firewall and all of our servers run FreeBSD. It costs next to nothing to set up. Idiots down the hall from us spend $1.5 million on their room, $100K just for the air conditioner. The funny thing is they do 1/100th of the traffic we do. Believe me, the "IT" industry is set up to rip you off if you don't know what you're doing. This stuff can be done a lot cheaper than the suits lead you to believe. This is how we survived the bubble while the floor outside our door got marked up from other occupants expensive equipment getting moved in, and then out!

Mirror

[TPS+Report]

Mirror Here. I'll mirror the rest of the page, as soon as he recovers from the shock and replaces the charred, smoking remains of the server he once had.

This article sucks

[0x0d0a]

There is *not* a heck of a lot of content here.

Most of the information is more than obvious to anyone interested in running a NOC (incidently, left out of the Slashdot story is that this is a *Security* NOC).

I've seen random Slashdot posts that would be a lot more useful to someone interested in building a NOC than this thing.

That being said, my own two cents:

If you're using SNMP to manage your network, snmpwalk+scripts is good. If you can stomach not using open source software, Intermapper is really nice. Unfortunately, the two big open source competitors don't quite measure up -- Scotty is kind of old and grotty and rather TCL-oriented, and GxSNMP appears to be dead.

Etherape, as suggested in the article, isn't the greatest choice either...IIRC, it doesn't support satellites, which means it needs to be running on the actual network it's monitoring. Not really acceptable for a NOC tool. Etherape is also, in my experience, rather CPU-hungry. There are a lot of commercial traffic flow visualization tools...not sure what's best, as I haven't played with many.

All in all, while the article's worthy of a post in a random discussion, it really isn't worthy of a Slashdot story.

psDooM?

[runlvl0]

Or, perhaps someone will come up with the bright idea to let you shoot packets whilst in the 3d game...

Kind of like psDooM (as seen on Slashdot), but at the network level? I'll betcha it could be done.

Re:Please hook me up with your vendor!

[richie2000]

I haven't priced VMWARE in a long time, but if memory serves, that should be near or over the 2K mark by itself.

You need to refresh your DRAM. VMWare Workstation 4 costs $299 from vmware.com. The rest of the stuff can be had for free, more or less. 17" monitors are $100 a pop new (CRT, that is), the 1.2GHz box can be built new for around $200 (1300 Duron, 256MB RAM, 40GB disk) and the rest of them are dumpster-diving fodder. The only things in his list that actually may cost Real Money (TM) are the big screens, but you can get old 24" Sun monitors on Ebay for a song and maybe a little dance and then you just need to get/make a VGA-Sun adapter to be in business.

Dual-headed video

[John+Courtland]

...is indeed the greatest thing since sliced bread. I've had it for about 2.5 years now, and one day when my primary monitor went out, I almost couldn't function. Being able to have Visual studio open in one screen and All sorts of Docs and a web browser in the other, I don't know how I did it before...

In the same vein, nVidia included a really nice feature in their latest drivers (I think it's been around since the 4x.xx series, but it wasn't as refined) that lets you "throw" a window. Pure genius, whoever invented that. With 2048 pixels of desktop space, it actually takes over an entire mousepad to move a window across the desktop. With throwing, I just flick my mouse. If I have a few IM windows open, a few Putty terminals, etc etc, it's great to just get stuff out of the way real fast and put it all into a known area.

please say no to unexplained acronyms

[altaic]

It would really be better if stories like this were not chosen for the front page. Whenever a story is posted with unexplained acronyms, tons more people click the links to see wtf it's talking about. More people who don't care about the actual (obscured) topic needlessly eat up the bandwidth, and the links are slashdotted much sooner. I know this is off-topic, however it does pertain to this story...

Vulnerability of receive-only

[puhuri]

There are some vulnerabilities for passive monitoring also. A search of CERT database for snort or tcpdump gives you a following list:

• Heap overflow in Snort "stream4" preprocessor
• Buffer overflow in Snort RPC preprocessor
• tcpdump enters infinite loop when parsing crafted ISAKMP packets
• tcpdump vulnerable to buffer overflow via improper decoding of AFS RPC (Rx) packets
• tcpdump vulnerable to buffer overflow via parsing of AFS ACL packets
• tcpdump, ethereal vulnerable to DoS

A listen-only box gives you some protection but it cannot be the only protection for your traffic recorder.

CNN

[pyite]

Can't underestimate the importance of some news channel on at all times. During August of this year, we were in our NOC and we saw our power blip for a second and heard the UPS alarms from the adjacent machine room. Shortly thereafter, we found out we were on diesel power. Our monitoring tools began to show remote devices going down, some coming back, some not. I noticed my SSH session to home died around the same time. I began to worry. I called my house to see if my answering machine would pick up. No dice. It was at this point we realized a big power failure had hit us. A few minutes later, the reports started coming in on CNN that all of New York had gone down, etc. Eventually it all made sense, but it was definitely important to have CNN... even if we knew about the power failure before they did.