On Fri, Mar 15, 2013 at 11:32 AM, Joshua Goldbard <j...@2600hz.com> wrote: > God I want one of those PA firewalls just to play with in the lab. I can't > justify the expense, but as far as firewalls go they're gorgeous. From the > chassis to the UI, PA is just doing it right. > > If anyone has a different experience, I'd love to hear it.
for any firewall/appliance .. ask this: "How can I manage 200 of these things remotely" UI is pretty and nice and cool.. but utterly useless if you have more than 1 of the things. also, a firewall is a firewall is a firewall... they all do the basics (nat/filter/'proxy') nothing else in that category really matters... management matters. > > Sent from my iPad > > On Mar 15, 2013, at 8:29 AM, "Warren Bailey" > <wbai...@satelliteintelligencegroup.com> wrote: > > We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo > Alto. Worked okay, never did have to execute a warrant or anything. > > > From my Android phone on T-Mobile. The first nationwide 4G network. > > > > -------- Original message -------- > From: Joshua Goldbard <j...@2600hz.com> > Date: 03/15/2013 8:25 AM (GMT-08:00) > To: Christopher Morrow <morrowc.li...@gmail.com> > Cc: NANOG <nanog@nanog.org> > Subject: Re: What are y'all doing for CALEA compliance? > > > I am not a lawyer, this is not legal advice. If you make decisions about > what you should be doing in your business based solely on emails from > strangers you won't do well. Get a second opinion from a lawyer. > > This comes up about once every 6 months on the voice ops mailing list. If > you are a CLEC and you are not CALEA compliant, you are in for a world of > hurt. > > If you're a non-facilities based reseller this is open for interpretation, > but many folks believe that if you don't have gear inside the carrier pops, > you aren't subject to CALEA. In practice, who is and who isn't effected by > CALEA is directly proportional to the number of CALEA requests to your > network (ergo, if you don't have any CALEA requests no one cares if you're > out of compliance). > > That being said, there are further problems underfoot. CALEA does not > specify what technologies should be used when presenting the data to law > enforcement, I forget the exact wording but its something like "a reasonable > format". CDRs are not sufficient as CALEA requires the ability to tap > sessions, but in the past we've seen most legal requests placated with an > excel sheet. > > As far as monitoring your connection, if your 10gig is coming in over fiber > you should just buy a vampire tap and be done with it. > > I hope this helps, but CALEA is inherently messy. > > Cheers, > Joshua > > Sent from my iPad > > On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" <morrowc.li...@gmail.com> > wrote: > >> On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch <uwcable...@gmail.com> wrote: >>> What are you RENs out there doing for CALEA compliance? Is there >>> actually >> >> being happy we solved it 6 yrs ago? >> >>> any teeth to the law? Our systems guys have tried a product called 'Open >> >> teeth as in the 100k/day fine? >> >>> CALEA' but the router and the server simply can't keep up with mirroring >>> from a 10Gbps connection into a 1Gbps link. I'm no legal expert >> >> that seems like a suboptimal design ... why would you mirror 10lbs of >> poo into a 1lb bag? that seems like it's bound to fail from the >> get-go. >> >>> either....any lawyers on this list? >> >> you should find a lawyer... srsly. >> >>> Thanks for all the great advice. This is a great community! >> >> -chris >> > >