Website Dedicated to Computer Professionals...and
some not so Professional
How to build a cheap Security NOC William M. Nett
The Network Operations Center or NOC is the cornerstone of all computer
networks. I've worked at AT&T's NOC, been around Government NOCs and
seen small scaled versions. Most look like something out of the movie,
"WarGames" and surprisingly, whether you're a Linux or Windows fan
you can build one for cheap and be your own armchair NOC General.
What does a NOC do? It monitors connections,
network activity, spots problems, conducts threat assessments, and
calculates scalability requirements with customer demands... it also puts on
a pretty good "dog-n-pony" show for potential investors and
What's required? Again, surprisingly not too much!
Depending on the size of your company, this can be achieved with as little
as an 8' X 10' room, and 4 computers. Trust me, you more than likely do not
need a $15,000 Cisco PIX or Nokia firewall (which runs Linux derivatives).
You'll need at least three big monitors (the bigger
the better), two smaller ones (17"), a KVM switch, and OOB dialup.
Here's the loadout:
1. Firewall: Get a copy of IPCOP... its
Smoothwall on steroids and very easy to configure. It has a built in
Intrusion Detection System, Proxy logging, and you can use Coyote Linux as a
failover if you think you are being attacked. This package uses a web
interface, so there's no need for a
monitor, keyboard, or mouse. These software elements are also free. Minimum
requirements are a 333Mhz system with 64MB of RAM and a 2.1GB Hard-Drive.
2. Network Monitoring: Download a copy of F.I.R.E.
and run it on a barebones 600 Mhz system. Configure and open Etherape on a
monitor for an Air Traffic Controller's view of your network activity...
bean counters love this. If you're being attacked or infected, you will
quickly see where it's coming from. You should also use a receive only
sniffer cable on this box to protect integrity... a receive only box has a
zero chance of infection as it's physically impossible.
3. Got wireless? Download and run Airsnare with a semi
hyped up Wireless antenna, and you'll quickly spot any war-drivers or
unauthorized network connections. If you have an old directional motorized
TV antenna system lying around you can go uber-elite and connect a cheap
phased array panel antenna or cantenna to locate your wireless intruder with
NetStumbler. This can all equally run on a 333Mhz Windows based
4. Workstation: Here's the beef... a 1.2Ghz, 512MB,
20GB computer, with dual head Matrox card, with dual booting OS (Linux &
Windows), Preferably Linux with a Windows VMWARE guest OS. Trust me, once
you go Dual-Head, you won't go back. The best Linux Dual-Head OS is SuSE
8.3. Tie this into the KVM to modify any of your servers.
5. Red Phone... afterall, who doesn't want one?
You're batman right?
Your first Monitor should be watching CNN or the
weather channel (depending on location), the second should be running
Etherape, and the third should be running Airsnare or Windows Services
Monitors (CPU, Netload, etc.) All of the software here except Windows is
free, and easy to configure... except maybe your General's chair. In the
end, aside from having your own
WOPR, you have a NOC for just under $2,000.00