[164315] in North American Network Operators' Group
Re: What are y'all doing for CALEA compliance?
daemon@ATHENA.MIT.EDU (Warren Bailey)
Thu Jul 4 20:12:54 2013
From: Warren Bailey <wbailey@satelliteintelligencegroup.com>
To: Eric G <eric@nixwizard.net>, Christopher Morrow <morrowc.lists@gmail.com>
Date: Fri, 5 Jul 2013 00:12:27 +0000
In-Reply-To: <CAFzrbiF0RPi1xt9Xsazm53qC5mBuh0AyWhtJei1HpX8Ud9BN2w@mail.gmail.com>
Cc: NANOG list <nanog@nanog.org>
Reply-To: Warren Bailey <wbailey@satelliteintelligencegroup.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Palo Alto has zero support for anything lea wise past the 7200 if I recall.=
We spent a ton of money on asr's and found out we needed to lawful interce=
pt ios which was only working/tested on a 7206vxr with a g2. Palo Alto is i=
nsanely expensive, and (in my opinion) is only really cool for seeing what =
kind of porn people are looking at. This was an international (literally, e=
very country AND every body of water) and was required as every government =
on the planet wanted access to data from their flagged airplanes. It was co=
ol, but not cool enough to be priced at what it is (the support and update =
costs were pretty intense on a larger deployment). Any deeper questions etc=
, reply off list.
Sent from my Mobile Device.
-------- Original message --------
From: Eric G <eric@nixwizard.net>
Date: 07/04/2013 11:23 AM (GMT-08:00)
To: Christopher Morrow <morrowc.lists@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Subject: Re: What are y'all doing for CALEA compliance?
On Mar 15, 2013 11:37 AM, "Christopher Morrow" <morrowc.lists@gmail.com>
wrote:
>
> On Fri, Mar 15, 2013 at 11:32 AM, Joshua Goldbard <j@2600hz.com> wrote:
> > God I want one of those PA firewalls just to play with in the lab. I
can't
> > justify the expense, but as far as firewalls go they're gorgeous. From
the
> > chassis to the UI, PA is just doing it right.
> >
> > If anyone has a different experience, I'd love to hear it.
>
> for any firewall/appliance .. ask this:
> "How can I manage 200 of these things remotely"
>
> UI is pretty and nice and cool.. but utterly useless if you have more
> than 1 of the things.
> also, a firewall is a firewall is a firewall... they all do the basics
> (nat/filter/'proxy') nothing else in that category really matters...
> management matters.
>
I know I'm necro'ing a thread, but PA has a centralized management product
called Panorama. I threw up a Panorama VM the other day at work and I was
thoroughly impressed with how easy it was to set up ("establish SIC? What's
that?") and the slick management UI on Panorama that basically mirrors the
normal PA UI.
The App-ID thing that PA implemented *does* matter in my humble opinion...
being able to say "allow specifically traffic that looks and smells like
RADIUS" instead of "allow UDP 1812 and 1813" is neato
PA has had some rough edges (their client VPN solution for Windows and OSX
is not ready for prime time in my opinion) but this is one thing they
nailed.
Chris Morrow - if it's in your budget you can pick up a PA200 on eBay for
like $1k. I've only played with PA over the year and a half I've been with
my current employer, but they've got a neat product. I've been tempted to
buy one for the house even honestly... having URL filtering, SSL decrypt,
SSH decrypt (via man-in-the-middle), App-ID, some basic DLP and even some
malware analysis (Wildfire) built right in is kind of compelling
--
Eric
http://linkedin.com/in/ericgearhart
