Re: NOC Automation / Best Practices

[Jared Mauch <jared () puck nether net>]

On Sep 8, 2010, at 12:59 PM, Martin Hotze wrote:

> > -----Original Message-----
> > Date: Wed, 08 Sep 2010 08:54:20 -0700
> > From: Charles N Wyble <charles () knownelement com>
> > Subject: NOC Automation / Best Practices
> > To: nanog () nanog org
> >
> >  NOGGERS,
> >
> > (...)
> > The way I see it, an ounce of prevention is worth a pound of cure.
> > Along
> > those lines, I'm putting in some mitigation techniques are as follows
> > (hopefully this will reduce the number of incidents and therefore calls
> > to the abuse desk). I would appreciate any feedback folks can give me.
> >
> > A) Force any outbound mail through my SMTP server with AV/spam
> > filtering.
> > B) Force HTTP traffic through a SQUID proxy with SNORT/ClamAV running
> > (several other WISPs are doing this with fairly substantial bandwidth
> > savings. However I realize that many sites aren't cache friendly.
> > Anyone
> > know of a good way to check for that? Look at HTTP headers?).  Do the
> > bandwidth savings/security checking outweigh the increased support
> > calls
> > due to "broken" web sites?
> > C) Force DNS to go through my server. I hope to reduce DNS hijacking
> > attacks this way.
> >
> > Thanks!
>
> For either A, B or C you won't get my business, let alone a combination of all 3. *wah!* There is too much FORCE 
> here. :-)

So

A) is fairly common in "hotel" networks.  Make sure you only are looking at tcp/25 and not tcp/587.

B) is fairly common in "hotel" networks.  There are a lot of things you need to do to make things work "correctly".  
I've found some websites will actually block you if you are behind a cache and it adds the Via: headers per standard.  
I've had to turn a lot of these options off in my home setup (ie: break standards on purpose).

You may also want to reach out to the CDNs themselves, eg:akamai, llnw, etc.. as they may have a way to just drop the 
cache in your network and send your customers there automagically.

C) is also common in a number of networks.  You may want to 'whitelist' some other common open resolvers that are 
intended to be open. (eg: OpenDNS).  You may be able to approach dns operators to have them put an instance in your 
network.

Make sure you don't construct the network such that you're forced to do this for all subscribers.  Many WISPs have a 
'flat' or simple routed network.  This is because the hardware doesn't always support nice routing protocols eg: 
OSPF/ISIS so you're stuck with RIP/RIPv2 (ick!).

Here's some settings that I use, to optimize for software updates and other items.  If you have a lot of Windows 
machines, you may need to read this page: http://wiki.squid-cache.org/SquidFaq/WindowsUpdate

-- snip --
# hide our existance
forwarded_for off
via off

# workaround facebook bug
ignore_expect_100 on

# Comcast is sometimes busted
ignore_unknown_nameservers off

# allow up to 8G to be cached
maximum_object_size 8192 MB

# allow squid daemon to get 1024 MB ahead of client
read_ahead_gap 1024 MB