On Thu, May 24, 2012 at 08:50:47AM -0400, not common wrote:
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this?
From what I've heard customers say, this would likely cause less offense
Unless you are absolutely huge, and maybe even then, you need to worry more about how your customers will perceive this than how law enforcement will perceive this. (I mean, you want to follow the law, sure, but even if it's legal, if it cheeses the customers? well, you have a problem.) More to the point, like most on this list, law isn't my field. In my experience? customers get really, really uncomfortable with you doing, well, almost anything below the headers. I was talking about doing a inward facing snort IDS (to detect compromised hosts before I got complaints) and got so far as a prototype where I shared the info I recorded about each IP with the customer in question, but talking to customers? this idea was extremely offensive, so the project was quashed. Now, generally speaking, customers are much more okay with you going through the IP headers. For instance, instead of using an IDS, I could, say, count the number of outgoing connections destined for port 22 or 25, or the same but count how many unique destinations they use (e.g. to avoid MX host or ssh tunneling false positives... both of those use cases would have a lot of connections on those ports, but to a small number of remote hosts.) than using snort or the like to do full packet inspection. (it wouldn't be completely inoffensive, but I think that if I wiped the logs often and shared my data with the customer, it sounds like something that customers would tolerate.) I haven't prototyped that system yet, though, so eh, who knows.