What are y'all doing for CALEA compliance?
What are you RENs out there doing for CALEA compliance? Is there actually any teeth to the law? Our systems guys have tried a product called 'Open CALEA' but the router and the server simply can't keep up with mirroring from a 10Gbps connection into a 1Gbps link. I'm no legal expert either....any lawyers on this list? Thanks for all the great advice. This is a great community! -ben
On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch <uwcableguy@gmail.com> wrote:
What are you RENs out there doing for CALEA compliance? Is there actually
being happy we solved it 6 yrs ago?
any teeth to the law? Our systems guys have tried a product called 'Open
teeth as in the 100k/day fine?
CALEA' but the router and the server simply can't keep up with mirroring from a 10Gbps connection into a 1Gbps link. I'm no legal expert
that seems like a suboptimal design ... why would you mirror 10lbs of poo into a 1lb bag? that seems like it's bound to fail from the get-go.
either....any lawyers on this list?
you should find a lawyer... srsly.
Thanks for all the great advice. This is a great community!
-chris
I am not a lawyer, this is not legal advice. If you make decisions about what you should be doing in your business based solely on emails from strangers you won't do well. Get a second opinion from a lawyer. This comes up about once every 6 months on the voice ops mailing list. If you are a CLEC and you are not CALEA compliant, you are in for a world of hurt. If you're a non-facilities based reseller this is open for interpretation, but many folks believe that if you don't have gear inside the carrier pops, you aren't subject to CALEA. In practice, who is and who isn't effected by CALEA is directly proportional to the number of CALEA requests to your network (ergo, if you don't have any CALEA requests no one cares if you're out of compliance). That being said, there are further problems underfoot. CALEA does not specify what technologies should be used when presenting the data to law enforcement, I forget the exact wording but its something like "a reasonable format". CDRs are not sufficient as CALEA requires the ability to tap sessions, but in the past we've seen most legal requests placated with an excel sheet. As far as monitoring your connection, if your 10gig is coming in over fiber you should just buy a vampire tap and be done with it. I hope this helps, but CALEA is inherently messy. Cheers, Joshua Sent from my iPad On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch <uwcableguy@gmail.com> wrote:
What are you RENs out there doing for CALEA compliance? Is there actually
being happy we solved it 6 yrs ago?
any teeth to the law? Our systems guys have tried a product called 'Open
teeth as in the 100k/day fine?
CALEA' but the router and the server simply can't keep up with mirroring from a 10Gbps connection into a 1Gbps link. I'm no legal expert
that seems like a suboptimal design ... why would you mirror 10lbs of poo into a 1lb bag? that seems like it's bound to fail from the get-go.
either....any lawyers on this list?
you should find a lawyer... srsly.
Thanks for all the great advice. This is a great community!
-chris
We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo Alto. Worked okay, never did have to execute a warrant or anything.
From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message -------- From: Joshua Goldbard <j@2600hz.com> Date: 03/15/2013 8:25 AM (GMT-08:00) To: Christopher Morrow <morrowc.lists@gmail.com> Cc: NANOG <nanog@nanog.org> Subject: Re: What are y'all doing for CALEA compliance? I am not a lawyer, this is not legal advice. If you make decisions about what you should be doing in your business based solely on emails from strangers you won't do well. Get a second opinion from a lawyer. This comes up about once every 6 months on the voice ops mailing list. If you are a CLEC and you are not CALEA compliant, you are in for a world of hurt. If you're a non-facilities based reseller this is open for interpretation, but many folks believe that if you don't have gear inside the carrier pops, you aren't subject to CALEA. In practice, who is and who isn't effected by CALEA is directly proportional to the number of CALEA requests to your network (ergo, if you don't have any CALEA requests no one cares if you're out of compliance). That being said, there are further problems underfoot. CALEA does not specify what technologies should be used when presenting the data to law enforcement, I forget the exact wording but its something like "a reasonable format". CDRs are not sufficient as CALEA requires the ability to tap sessions, but in the past we've seen most legal requests placated with an excel sheet. As far as monitoring your connection, if your 10gig is coming in over fiber you should just buy a vampire tap and be done with it. I hope this helps, but CALEA is inherently messy. Cheers, Joshua Sent from my iPad On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch <uwcableguy@gmail.com> wrote:
What are you RENs out there doing for CALEA compliance? Is there actually
being happy we solved it 6 yrs ago?
any teeth to the law? Our systems guys have tried a product called 'Open
teeth as in the 100k/day fine?
CALEA' but the router and the server simply can't keep up with mirroring from a 10Gbps connection into a 1Gbps link. I'm no legal expert
that seems like a suboptimal design ... why would you mirror 10lbs of poo into a 1lb bag? that seems like it's bound to fail from the get-go.
either....any lawyers on this list?
you should find a lawyer... srsly.
Thanks for all the great advice. This is a great community!
-chris
God I want one of those PA firewalls just to play with in the lab. I can't justify the expense, but as far as firewalls go they're gorgeous. From the chassis to the UI, PA is just doing it right. If anyone has a different experience, I'd love to hear it. Sent from my iPad On Mar 15, 2013, at 8:29 AM, "Warren Bailey" <wbailey@satelliteintelligencegroup.com<mailto:wbailey@satelliteintelligencegroup.com>> wrote: We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo Alto. Worked okay, never did have to execute a warrant or anything.
From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message -------- From: Joshua Goldbard <j@2600hz.com<mailto:j@2600hz.com>> Date: 03/15/2013 8:25 AM (GMT-08:00) To: Christopher Morrow <morrowc.lists@gmail.com<mailto:morrowc.lists@gmail.com>> Cc: NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Re: What are y'all doing for CALEA compliance? I am not a lawyer, this is not legal advice. If you make decisions about what you should be doing in your business based solely on emails from strangers you won't do well. Get a second opinion from a lawyer. This comes up about once every 6 months on the voice ops mailing list. If you are a CLEC and you are not CALEA compliant, you are in for a world of hurt. If you're a non-facilities based reseller this is open for interpretation, but many folks believe that if you don't have gear inside the carrier pops, you aren't subject to CALEA. In practice, who is and who isn't effected by CALEA is directly proportional to the number of CALEA requests to your network (ergo, if you don't have any CALEA requests no one cares if you're out of compliance). That being said, there are further problems underfoot. CALEA does not specify what technologies should be used when presenting the data to law enforcement, I forget the exact wording but its something like "a reasonable format". CDRs are not sufficient as CALEA requires the ability to tap sessions, but in the past we've seen most legal requests placated with an excel sheet. As far as monitoring your connection, if your 10gig is coming in over fiber you should just buy a vampire tap and be done with it. I hope this helps, but CALEA is inherently messy. Cheers, Joshua Sent from my iPad On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" <morrowc.lists@gmail.com<mailto:morrowc.lists@gmail.com>> wrote:
On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch <uwcableguy@gmail.com<mailto:uwcableguy@gmail.com>> wrote:
What are you RENs out there doing for CALEA compliance? Is there actually
being happy we solved it 6 yrs ago?
any teeth to the law? Our systems guys have tried a product called 'Open
teeth as in the 100k/day fine?
CALEA' but the router and the server simply can't keep up with mirroring from a 10Gbps connection into a 1Gbps link. I'm no legal expert
that seems like a suboptimal design ... why would you mirror 10lbs of poo into a 1lb bag? that seems like it's bound to fail from the get-go.
either....any lawyers on this list?
you should find a lawyer... srsly.
Thanks for all the great advice. This is a great community!
-chris
On Fri, Mar 15, 2013 at 11:32 AM, Joshua Goldbard <j@2600hz.com> wrote:
God I want one of those PA firewalls just to play with in the lab. I can't justify the expense, but as far as firewalls go they're gorgeous. From the chassis to the UI, PA is just doing it right.
If anyone has a different experience, I'd love to hear it.
for any firewall/appliance .. ask this: "How can I manage 200 of these things remotely" UI is pretty and nice and cool.. but utterly useless if you have more than 1 of the things. also, a firewall is a firewall is a firewall... they all do the basics (nat/filter/'proxy') nothing else in that category really matters... management matters.
Sent from my iPad
On Mar 15, 2013, at 8:29 AM, "Warren Bailey" <wbailey@satelliteintelligencegroup.com> wrote:
We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo Alto. Worked okay, never did have to execute a warrant or anything.
From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message -------- From: Joshua Goldbard <j@2600hz.com> Date: 03/15/2013 8:25 AM (GMT-08:00) To: Christopher Morrow <morrowc.lists@gmail.com> Cc: NANOG <nanog@nanog.org> Subject: Re: What are y'all doing for CALEA compliance?
I am not a lawyer, this is not legal advice. If you make decisions about what you should be doing in your business based solely on emails from strangers you won't do well. Get a second opinion from a lawyer.
This comes up about once every 6 months on the voice ops mailing list. If you are a CLEC and you are not CALEA compliant, you are in for a world of hurt.
If you're a non-facilities based reseller this is open for interpretation, but many folks believe that if you don't have gear inside the carrier pops, you aren't subject to CALEA. In practice, who is and who isn't effected by CALEA is directly proportional to the number of CALEA requests to your network (ergo, if you don't have any CALEA requests no one cares if you're out of compliance).
That being said, there are further problems underfoot. CALEA does not specify what technologies should be used when presenting the data to law enforcement, I forget the exact wording but its something like "a reasonable format". CDRs are not sufficient as CALEA requires the ability to tap sessions, but in the past we've seen most legal requests placated with an excel sheet.
As far as monitoring your connection, if your 10gig is coming in over fiber you should just buy a vampire tap and be done with it.
I hope this helps, but CALEA is inherently messy.
Cheers, Joshua
Sent from my iPad
On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch <uwcableguy@gmail.com> wrote:
What are you RENs out there doing for CALEA compliance? Is there actually
being happy we solved it 6 yrs ago?
any teeth to the law? Our systems guys have tried a product called 'Open
teeth as in the 100k/day fine?
CALEA' but the router and the server simply can't keep up with mirroring from a 10Gbps connection into a 1Gbps link. I'm no legal expert
that seems like a suboptimal design ... why would you mirror 10lbs of poo into a 1lb bag? that seems like it's bound to fail from the get-go.
either....any lawyers on this list?
you should find a lawyer... srsly.
Thanks for all the great advice. This is a great community!
-chris
On Mar 15, 2013 11:37 AM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Fri, Mar 15, 2013 at 11:32 AM, Joshua Goldbard <j@2600hz.com> wrote:
God I want one of those PA firewalls just to play with in the lab. I
justify the expense, but as far as firewalls go they're gorgeous. From
can't the
chassis to the UI, PA is just doing it right.
If anyone has a different experience, I'd love to hear it.
for any firewall/appliance .. ask this: "How can I manage 200 of these things remotely"
UI is pretty and nice and cool.. but utterly useless if you have more than 1 of the things. also, a firewall is a firewall is a firewall... they all do the basics (nat/filter/'proxy') nothing else in that category really matters... management matters.
I know I'm necro'ing a thread, but PA has a centralized management product called Panorama. I threw up a Panorama VM the other day at work and I was thoroughly impressed with how easy it was to set up ("establish SIC? What's that?") and the slick management UI on Panorama that basically mirrors the normal PA UI. The App-ID thing that PA implemented *does* matter in my humble opinion... being able to say "allow specifically traffic that looks and smells like RADIUS" instead of "allow UDP 1812 and 1813" is neato PA has had some rough edges (their client VPN solution for Windows and OSX is not ready for prime time in my opinion) but this is one thing they nailed. Chris Morrow - if it's in your budget you can pick up a PA200 on eBay for like $1k. I've only played with PA over the year and a half I've been with my current employer, but they've got a neat product. I've been tempted to buy one for the house even honestly... having URL filtering, SSL decrypt, SSH decrypt (via man-in-the-middle), App-ID, some basic DLP and even some malware analysis (Wildfire) built right in is kind of compelling -- Eric http://linkedin.com/in/ericgearhart
Palo Alto has zero support for anything lea wise past the 7200 if I recall. We spent a ton of money on asr's and found out we needed to lawful intercept ios which was only working/tested on a 7206vxr with a g2. Palo Alto is insanely expensive, and (in my opinion) is only really cool for seeing what kind of porn people are looking at. This was an international (literally, every country AND every body of water) and was required as every government on the planet wanted access to data from their flagged airplanes. It was cool, but not cool enough to be priced at what it is (the support and update costs were pretty intense on a larger deployment). Any deeper questions etc, reply off list. Sent from my Mobile Device. -------- Original message -------- From: Eric G <eric@nixwizard.net> Date: 07/04/2013 11:23 AM (GMT-08:00) To: Christopher Morrow <morrowc.lists@gmail.com> Cc: NANOG list <nanog@nanog.org> Subject: Re: What are y'all doing for CALEA compliance? On Mar 15, 2013 11:37 AM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Fri, Mar 15, 2013 at 11:32 AM, Joshua Goldbard <j@2600hz.com> wrote:
God I want one of those PA firewalls just to play with in the lab. I
justify the expense, but as far as firewalls go they're gorgeous. From
can't the
chassis to the UI, PA is just doing it right.
If anyone has a different experience, I'd love to hear it.
for any firewall/appliance .. ask this: "How can I manage 200 of these things remotely"
UI is pretty and nice and cool.. but utterly useless if you have more than 1 of the things. also, a firewall is a firewall is a firewall... they all do the basics (nat/filter/'proxy') nothing else in that category really matters... management matters.
I know I'm necro'ing a thread, but PA has a centralized management product called Panorama. I threw up a Panorama VM the other day at work and I was thoroughly impressed with how easy it was to set up ("establish SIC? What's that?") and the slick management UI on Panorama that basically mirrors the normal PA UI. The App-ID thing that PA implemented *does* matter in my humble opinion... being able to say "allow specifically traffic that looks and smells like RADIUS" instead of "allow UDP 1812 and 1813" is neato PA has had some rough edges (their client VPN solution for Windows and OSX is not ready for prime time in my opinion) but this is one thing they nailed. Chris Morrow - if it's in your budget you can pick up a PA200 on eBay for like $1k. I've only played with PA over the year and a half I've been with my current employer, but they've got a neat product. I've been tempted to buy one for the house even honestly... having URL filtering, SSL decrypt, SSH decrypt (via man-in-the-middle), App-ID, some basic DLP and even some malware analysis (Wildfire) built right in is kind of compelling -- Eric http://linkedin.com/in/ericgearhart
Seemed legit to me. I'm a satellite guy, so the Palo Alto gear was really for me to look at the traffic profiles. They did a killer job classifying traffic though, and I guess they update the rules every couple days?
From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message -------- From: Joshua Goldbard <j@2600hz.com> Date: 03/15/2013 8:33 AM (GMT-08:00) To: Warren Bailey <wbailey@satelliteintelligencegroup.com> Cc: Christopher Morrow <morrowc.lists@gmail.com>,NANOG <nanog@nanog.org> Subject: Re: What are y'all doing for CALEA compliance? God I want one of those PA firewalls just to play with in the lab. I can't justify the expense, but as far as firewalls go they're gorgeous. From the chassis to the UI, PA is just doing it right. If anyone has a different experience, I'd love to hear it. Sent from my iPad On Mar 15, 2013, at 8:29 AM, "Warren Bailey" <wbailey@satelliteintelligencegroup.com<mailto:wbailey@satelliteintelligencegroup.com>> wrote: We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo Alto. Worked okay, never did have to execute a warrant or anything.
From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message -------- From: Joshua Goldbard <j@2600hz.com<mailto:j@2600hz.com>> Date: 03/15/2013 8:25 AM (GMT-08:00) To: Christopher Morrow <morrowc.lists@gmail.com<mailto:morrowc.lists@gmail.com>> Cc: NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Re: What are y'all doing for CALEA compliance? I am not a lawyer, this is not legal advice. If you make decisions about what you should be doing in your business based solely on emails from strangers you won't do well. Get a second opinion from a lawyer. This comes up about once every 6 months on the voice ops mailing list. If you are a CLEC and you are not CALEA compliant, you are in for a world of hurt. If you're a non-facilities based reseller this is open for interpretation, but many folks believe that if you don't have gear inside the carrier pops, you aren't subject to CALEA. In practice, who is and who isn't effected by CALEA is directly proportional to the number of CALEA requests to your network (ergo, if you don't have any CALEA requests no one cares if you're out of compliance). That being said, there are further problems underfoot. CALEA does not specify what technologies should be used when presenting the data to law enforcement, I forget the exact wording but its something like "a reasonable format". CDRs are not sufficient as CALEA requires the ability to tap sessions, but in the past we've seen most legal requests placated with an excel sheet. As far as monitoring your connection, if your 10gig is coming in over fiber you should just buy a vampire tap and be done with it. I hope this helps, but CALEA is inherently messy. Cheers, Joshua Sent from my iPad On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" <morrowc.lists@gmail.com<mailto:morrowc.lists@gmail.com>> wrote:
On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch <uwcableguy@gmail.com<mailto:uwcableguy@gmail.com>> wrote:
What are you RENs out there doing for CALEA compliance? Is there actually
being happy we solved it 6 yrs ago?
any teeth to the law? Our systems guys have tried a product called 'Open
teeth as in the 100k/day fine?
CALEA' but the router and the server simply can't keep up with mirroring from a 10Gbps connection into a 1Gbps link. I'm no legal expert
that seems like a suboptimal design ... why would you mirror 10lbs of poo into a 1lb bag? that seems like it's bound to fail from the get-go.
either....any lawyers on this list?
you should find a lawyer... srsly.
Thanks for all the great advice. This is a great community!
-chris
Thanks to everyone who replied on and off list today. I found a wide range of opinions on CALEA. I did have one person give me a very specific example of a vendor that can ensure compliance, which is really what I was after. See y'all on Bourbon Street in June! -ben On Fri, Mar 15, 2013 at 10:36 AM, Warren Bailey < wbailey@satelliteintelligencegroup.com> wrote:
Seemed legit to me. I'm a satellite guy, so the Palo Alto gear was really for me to look at the traffic profiles. They did a killer job classifying traffic though, and I guess they update the rules every couple days?
From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message -------- From: Joshua Goldbard <j@2600hz.com> Date: 03/15/2013 8:33 AM (GMT-08:00) To: Warren Bailey <wbailey@satelliteintelligencegroup.com> Cc: Christopher Morrow <morrowc.lists@gmail.com>,NANOG <nanog@nanog.org> Subject: Re: What are y'all doing for CALEA compliance?
God I want one of those PA firewalls just to play with in the lab. I can't justify the expense, but as far as firewalls go they're gorgeous. From the chassis to the UI, PA is just doing it right.
If anyone has a different experience, I'd love to hear it.
Sent from my iPad
On Mar 15, 2013, at 8:29 AM, "Warren Bailey" < wbailey@satelliteintelligencegroup.com<mailto: wbailey@satelliteintelligencegroup.com>> wrote:
We used 7206vxr with the lawful intercept mib, and some DPI jazz from Palo Alto. Worked okay, never did have to execute a warrant or anything.
From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message -------- From: Joshua Goldbard <j@2600hz.com<mailto:j@2600hz.com>> Date: 03/15/2013 8:25 AM (GMT-08:00) To: Christopher Morrow <morrowc.lists@gmail.com<mailto: morrowc.lists@gmail.com>> Cc: NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Re: What are y'all doing for CALEA compliance?
I am not a lawyer, this is not legal advice. If you make decisions about what you should be doing in your business based solely on emails from strangers you won't do well. Get a second opinion from a lawyer.
This comes up about once every 6 months on the voice ops mailing list. If you are a CLEC and you are not CALEA compliant, you are in for a world of hurt.
If you're a non-facilities based reseller this is open for interpretation, but many folks believe that if you don't have gear inside the carrier pops, you aren't subject to CALEA. In practice, who is and who isn't effected by CALEA is directly proportional to the number of CALEA requests to your network (ergo, if you don't have any CALEA requests no one cares if you're out of compliance).
That being said, there are further problems underfoot. CALEA does not specify what technologies should be used when presenting the data to law enforcement, I forget the exact wording but its something like "a reasonable format". CDRs are not sufficient as CALEA requires the ability to tap sessions, but in the past we've seen most legal requests placated with an excel sheet.
As far as monitoring your connection, if your 10gig is coming in over fiber you should just buy a vampire tap and be done with it.
I hope this helps, but CALEA is inherently messy.
Cheers, Joshua
Sent from my iPad
On Mar 15, 2013, at 8:07 AM, "Christopher Morrow" <morrowc.lists@gmail.com <mailto:morrowc.lists@gmail.com>> wrote:
On Fri, Mar 15, 2013 at 9:38 AM, Ben Bartsch <uwcableguy@gmail.com <mailto:uwcableguy@gmail.com>> wrote:
What are you RENs out there doing for CALEA compliance? Is there actually
being happy we solved it 6 yrs ago?
any teeth to the law? Our systems guys have tried a product called 'Open
teeth as in the 100k/day fine?
CALEA' but the router and the server simply can't keep up with mirroring from a 10Gbps connection into a 1Gbps link. I'm no legal expert
that seems like a suboptimal design ... why would you mirror 10lbs of poo into a 1lb bag? that seems like it's bound to fail from the get-go.
either....any lawyers on this list?
you should find a lawyer... srsly.
Thanks for all the great advice. This is a great community!
-chris
On Mar 15, 2013, at 9:38 AM, Ben Bartsch <uwcableguy@gmail.com> wrote:
Is there actually any teeth to the law?
Find a real lawyer and show her/him http://www.law.cornell.edu/uscode/text/18/2522 --Steve Bellovin, https://www.cs.columbia.edu/~smb
participants (6)
-
Ben Bartsch
-
Christopher Morrow
-
Eric G
-
Joshua Goldbard
-
Steven Bellovin
-
Warren Bailey