Re: What are y'all doing for CALEA compliance?

[Christopher Morrow <morrowc.lists () gmail com>]

On Fri, Mar 15, 2013 at 11:32 AM, Joshua Goldbard <j () 2600hz com> wrote:
> God I want one of those PA firewalls just to play with in the lab. I can't
> justify the expense, but as far as firewalls go they're gorgeous. From the
> chassis to the UI, PA is just doing it right.
>
> If anyone has a different experience, I'd love to hear it.

for any firewall/appliance .. ask this:
  "How can I manage 200 of these things remotely"

UI is pretty and nice and cool.. but utterly useless if you have more
than 1 of the things.
also, a firewall is a firewall is a firewall... they all do the basics
(nat/filter/'proxy') nothing else in that category really matters...
management matters.

> Sent from my iPad
>
> On Mar 15, 2013, at 8:29 AM, "Warren Bailey"
> <wbailey () satelliteintelligencegroup com> wrote:
>
> We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo
> Alto. Worked okay, never did have to execute a warrant or anything.
>
>
> From my Android phone on T-Mobile. The first nationwide 4G network.
>
>
>
> -------- Original message --------
> From: Joshua Goldbard <j () 2600hz com>
> Date: 03/15/2013 8:25 AM (GMT-08:00)
> To: Christopher Morrow <morrowc.lists () gmail com>
> Cc: NANOG <nanog () nanog org>
> Subject: Re: What are y'all doing for CALEA compliance?
>
>
> I am not a lawyer, this is not legal advice. If you make decisions about
> what you should be doing in your business based solely on emails from
> strangers you won't do well. Get a second opinion from a lawyer.
>
> This comes up about once every 6 months on the voice ops mailing list. If
> you are a CLEC and you are not CALEA compliant, you are in for a world of
> hurt.
>
> If you're a non-facilities based reseller this is open for interpretation,
> but many folks believe that if you don't have gear inside the carrier pops,
> you aren't subject to CALEA. In practice, who is and who isn't effected by
> CALEA is directly proportional to the number of CALEA requests to your
> network (ergo, if you don't have any CALEA requests no one cares if you're
> out of compliance).
>
> That being said, there are further problems underfoot. CALEA does not
> specify what technologies should be used when presenting the data to law
> enforcement, I forget the exact wording but its something like "a reasonable
> format". CDRs are not sufficient as CALEA requires the ability to tap
> sessions, but in the past we've seen most legal requests placated with an
> excel sheet.
>
> As far as monitoring your connection, if your 10gig is coming in over fiber
> you should just buy a vampire tap and be done with it.
>
> I hope this helps, but CALEA is inherently messy.
>
> Cheers,
> Joshua
>
> Sent from my iPad
>
> On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" <morrowc.lists () gmail com>
> wrote:
>
> > On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch <uwcableguy () gmail com> wrote:
> > > What are you RENs out there doing for CALEA compliance?  Is there
> > > actually
> >
> > being happy we solved it 6 yrs ago?
> >
> > > any teeth to the law?  Our systems guys have tried a product called 'Open
> >
> > teeth as in the 100k/day fine?
> >
> > > CALEA' but the router and the server simply can't keep up with mirroring
> > > from a 10Gbps connection into a 1Gbps link.  I'm no legal expert
> >
> > that seems like a suboptimal design ... why would you mirror 10lbs of
> > poo into a 1lb bag? that seems like it's bound to fail from the
> > get-go.
> >
> > > either....any lawyers on this list?
> >
> > you should find a lawyer... srsly.
> >
> > > Thanks for all the great advice.  This is a great community!
> >
> > -chris