Re: NOC Automation / Best Practices

[khatfield () socllc net]

We run a *free* WISP and block 25 but I'm not sure why you would want to force all traffic through it. That's a touchy 
argument but it would really bother me as a paying subscriber.

We use customized squid to haproxy (custom) to route traffic. Our main business is ddos protection and we use 
datacenters in multiple places. However, when we wanted to offer free wireless out of our office in Oxford, MS we found 
getting 10Mbps+ of bandwidth was nearly impossible.

So we setup a few caching load balancers in the Oxford office which connect out through two load-balanced proxy systems 
sitting in the datacenter on 1Gbps connections.

Works well - some sites cannot be cached but we are able to enforce gzip compression on everything, cache dns, images, 
etc.

We get upwards of 100 users concurrently. Works beautifully - we can see our office pushing 40Mbps+ and the downstream 
at 5Mbps or less (total available we have is 2x10Mbps links). 

Requires some serious tuning but if you got time, this is the way to go.

We do block bittorrent traffic which we find more of a threat than properly monitored smtp traffic.
-----Original Message-----
From: Martin Hotze <M.Hotze () hotze com>
Date: Wed, 8 Sep 2010 16:59:14 
To: nanog () nanog org<nanog () nanog org>
Subject: RE: NOC Automation / Best Practices

> -----Original Message-----
> Date: Wed, 08 Sep 2010 08:54:20 -0700
> From: Charles N Wyble <charles () knownelement com>
> Subject: NOC Automation / Best Practices
> To: nanog () nanog org
>
>   NOGGERS,
>
> (...)
> The way I see it, an ounce of prevention is worth a pound of cure.
> Along
> those lines, I'm putting in some mitigation techniques are as follows
> (hopefully this will reduce the number of incidents and therefore calls
> to the abuse desk). I would appreciate any feedback folks can give me.
>
> A) Force any outbound mail through my SMTP server with AV/spam
> filtering.
> B) Force HTTP traffic through a SQUID proxy with SNORT/ClamAV running
> (several other WISPs are doing this with fairly substantial bandwidth
> savings. However I realize that many sites aren't cache friendly.
> Anyone
> know of a good way to check for that? Look at HTTP headers?).  Do the
> bandwidth savings/security checking outweigh the increased support
> calls
> due to "broken" web sites?
> C) Force DNS to go through my server. I hope to reduce DNS hijacking
> attacks this way.
>
> Thanks!

For either A, B or C you won't get my business, let alone a combination of all 3. *wah!* There is too much FORCE here. 
:-)

#m