Lawful Intercept
Download
Report
Transcript Lawful Intercept
Lawful Intercept Briefing
LI for VoIP, IP
Scott W. Coleman
Dir. Of Marketing - LI
SS8 Networks
January 23-26, 2007• Ft. Lauderdale, Florida
SS8 Networks Overview
•
•
•
•
•
•
Privately held company with 20+ years of operating history
12 years providing Law Intercept solutions
Headquartered in San Jose, CA
Market leader in lawful intercept delivery function solution
250 worldwide service provider customers
OEM relationship with some of the largest equipment vendors
(Lucent, Nortel, Alcatel)
• Partnerships with many equipment providers
(Juniper, AcmePacket, NexTone, Sylantro, Cisco, Samsung)
January 23-26, 2007• Ft. Lauderdale, Florida
What is Lawful Intercept?
• The targeted intercept of voice and data services, by a service
provider on the behalf of Law Enforcement, when authorized by
a court
• Uses:
– Criminal - Investigation and Prosecution of criminal activity
– Intelligence Gathering - Investigation of individuals for
Homeland security, anti-terrorism and other threats
• Tightly controlled in both approval and operation
January 23-26, 2007• Ft. Lauderdale, Florida
CALEA – Areas of Responsibility
Passes
Legislation
(CALEA)
Congress
Tasked with
enforcement and
implementation
Dept of Justice
FBI
FCC
Carriers
Industry Standards Body
Equipment providers
Arbitrator
between
Law
Enforcemen
t and
service
providers
Required to
implement
CALEA solution
in their networks.
Standards
include:
J-STD-025A, B
PacketCable,
January 23-26, 2007• Ft. Lauderdale, Florida
T1.678, T1.IPNA
Regulatory Events
• 2004 FBI, DOJ, DEA file joint petition asking FCC to clarify implementation
of CALEA for Broadband and VoIP providers.
– “Information Services”
– VoIP in Cable environments
• August 2005 FCC issued “First Report and Order” deeming that “Facilities
based broadband and inter-connected VoIP providers” must provide
CALEA support within 18 months of the Order.
• May 2006 FCC issued “Second Report and Order” confirming that there
would be no extensions and or exceptions
• June 9th, lawsuit on behalf of Service providers seeking to stall or alter the
FCC report was denied by the DC Circuit Court
• 105 Filing – Security Policy and Procedure – March 12, 2007
• Monitoring Reports – February 12, 2007
• Compliance deadline of May 14th 2007
• Solution Certification – FBI/CIU
January 23-26, 2007• Ft. Lauderdale, Florida
Types and Quantities of Warrants
• Subpoena
– Call records (copies of phone bills).
– Up to 2 million of these are done on an annual basis.
• Pen Register or Trap and Trace
– Real time delivery of call data only (off-hook, ringing, answer,
disconnect, call forward, hookflash etc.)
– Far fewer done than the subpoenas for call records (130,000)
• Title III
– Call Content included. Only 2600 done per year
– Only approved after a true need is demonstrated to the judge.
– Quite expensive for Law Enforcement.
• Monitored live 24 hours a day
• Ground team surveilling the target
January 23-26, 2007• Ft. Lauderdale, Florida
CALEA Report Requirements for Congress
Department of
Justice - CALEA
Audit Report DOJ Inspector
General – April
Department of
DOJ Attorney General Report - April
Justice - FISA
Federal
Admin. Office of US Courts – Wiretap
and State
Report - April
LEA
Congress
January 23-26, 2007• Ft. Lauderdale, Florida
Intercept Statistics
•
•
•
•
•
•
•
2004 Authorized Intercept Orders: 1,710
Federal: 730 State: 980
Four states accounted for 76% of intercept orders
Average duration of 43 days
Longest was 390 days
88% for portable devices (94% telephonic)
Average cost of $63,011
• Foreign Intelligence Surveillance Act: 1,754 orders approved
New York - 347
California – 144
New Jersey - 144
Florida - 72
January 23-26, 2007• Ft. Lauderdale, Florida
.
Intercept Applications by Offense Type
Homicide
4%
Robbery
2%
Other
5%
Gambling
5%
Racketeering
8%
Narcotics
76%
January 23-26, 2007• Ft. Lauderdale, Florida
How is Lawful Intercept performed?
• Identify the user
– Determine the target identifier (phone number, email address, IP
address etc.)
• Wait for authentication
– When the target utilizes the network they must be authenticated.
Watch for that event.
• Find the edge
– When the target authenticates, find the edge device closest to the
target (so as not to miss any peer-to-peer transactions) and obtain
a copy of the target’s communications.
January 23-26, 2007• Ft. Lauderdale, Florida
Lawful Intercept Network Architecture
Access Function
Delivery Function
SBC
Phone switches
•
•
•
•
VoIP
Call Agent
Collection Function
• Provisions the access functions with
target identifying information
• Recording and storage of intercepted
• Receives
traffic copies of target ‘s traffic
• •Correlates
targetand
Analysis and
toolsconverts
to track, raw
correlate
traffic
to standards
based
interface
interpret
intercepted
traffic
towards LEA
LEA
Access elements that provide connectivity
to target’s voice & data communications
Identifies and replicates target’s traffic
Xcipio SBC, routers, BRAS
PSTN switches,
SS8 passive probe
Standards Based Delivery
(J-STD, ETSI, PacketCable)
Routers, data
switches
Service Provider
Domain
Passive probe
Law Enforcement
Domain
January 23-26, 2007• Ft. Lauderdale, Florida
Standards
January 23-26, 2007• Ft. Lauderdale, Florida
Standards
Impact:
• Defined the components:
– Access Function (AF), Delivery Function (DF), Collection Function (CF)
• Defined the demarcation points and the need for interfaces
• Created an environment where customization was reduced and
reproducible products could be built.
Standards in common use in the U.S.:
J-STD-25A – Punchlist
J-STD-25B – CDMA2000 wireless data
PacketCable – VoIP for Cable networks
T1.678 – VoIP for wireline, PTT, PoC
ETSI 33.108 – GPRS wireless data
ATIS – T1.IPNA – ISP data (brand new)
International standards in common use:
ETSI 33.108 – GPRS wireless data
ETSI 201.671 – TDM voice
ETSI 102.232, 102.233, 102.234 – ISP
Data intercept (email, IP packets)
January 23-26, 2007• Ft. Lauderdale, Florida
Defining the Interfaces
Access Function
Delivery Function
Collection Function
Provisioning
Internal Network Interface #1
INI-1
Provisioning
SBC
Handover Interface #1
HI-1
LEA
Phone switches
INI-2
Communication Data /
Signaling
Internal Network Interface #2
VoIP
Call Agent
Data / Signaling
Handover Interface #2
INI-3
Media
Content
Routers,
data
Internal Network
Interface #3
switches
Service Provider
Domain
Xcipio
Passive probe
HI-3
Media Content
Handover Interface #3
Law Enforcement
Domain
January 23-26, 2007• Ft. Lauderdale, Florida
Applying Standards
Access Function
Delivery Function
Provisioning
Internal Network Interface #1
INI-1
Collection Function
Only exception is
PacketCable that
also defines INI-2Provisioning
and INI-3 Handover Interface #1
HI-1
LEA
INI-2
Communication Data /
Signaling
Xcipio
Internal Network Interface #2
Data / Signaling
Handover Interface #2
HI-3
INI-3
Media Content
Media Content
Internal Network Interface #3
Handover Interface #3
Standards only apply
to HI-2 and HI-3
Service Provider
Domain
Law Enforcement
Domain
January 23-26, 2007• Ft. Lauderdale, Florida
Methods for Lawful Intercept
Active Approach
Work with the network equipment manufacturers to develop
lawful intercept capability in the network elements.
Utilize existing network elements for lawful intercept
Sometimes serious impact to network performance
No need for additional hardware
Passive Approach
Use passive probes or sniffers as Access Function to
monitor the network and filter target’s traffic
Requires expensive additional hardware
No impact to the network performance
Hybrid – utilizes both
January 23-26, 2007• Ft. Lauderdale, Florida
VoIP Active Intercept (Cisco SII)
Law Enforcement
Agency
Service Provider Domain
Provisioning
of Warrant
LI Administration
Function
SoftSwitch
Cisco BTS
Law Enforcement
Monitoring Facility
Admin (INI-1)
HI-2
INI-2
DELIVERY
XCIPIO
FUNCTION
Call
Control
Target
Subscriber
Voice
Packets
INI-3
SNMPv3
Request
INI-1
RTP Stream
Customer
Premise IAD
(SIP, H.323, or MGCP
based Gateway)
CMTS
HI-3
Xcipio LEMF
DR-2400
Call
Control
Customer
Premise
IAD
CMTS
January 23-26, 2007• Ft. Lauderdale, Florida
VoIP – Intercept at Trunk/Media Gateway
(for Forwarded Calls)
Law Enforcement
Agency
Service Provider Domain
Provisioning
of Warrant
LI Administration
Function
SoftSwitch
Cisco BTS
Law Enforcement
Monitoring Facility
INI-1
INI-2
INI-2
HI-2
HI-2
XCIPIO SSDF
XCIPIO
HI-3
Call
Forward to
PSTN
SNMPv3
INI-1
Target
Subscriber
Call
Control
Customer
Premise IAD
(SIP, H.323, or MGCP
based Gateway)
Xcipio LEMF
DR-2400
Voice
Packets
INI-3
Call to
Target
PSTN
Forwarded
Call
CMTS
Media
Gateway
January 23-26, 2007• Ft. Lauderdale, Florida
Active Approach to IP Data Intercept
Law Enforcement
Agency
Service Provider Domain
Provisioning
of Warrant
LI Administration
Function
AAA Server
Law Enforcement
Monitoring Facility
INI-1 Admin
INI – 2 IRI
XCIPIO
HI-2
Radius
Authenticate
HI-3
SNMPv3
Request
Intercepted
Data – INI-3
Internet
Data Stream/IP Access
Target
Subscriber
Router
January 23-26, 2007• Ft. Lauderdale, Florida
Passive Approach to IP Data Intercept
Law Enforcement
Agency
Service Provider Domain
Provisioning
of Warrant
LI Administration
Function
AAA Server
INI-1 Admin
INI – 2 IRI
SNMPv3
Request
Intercepted
Data – INI-3
HI-2
XCIPIO
Provisioning
Radius
Authenticate
Law Enforcement
Monitoring Facility
HI-3
Report
Intercepted
Data
INI-3
Internet
Data Stream/IP Access
Target
Subscriber
Router
January 23-26, 2007• Ft. Lauderdale, Florida
A bit about Xcipio
January 23-26, 2007• Ft. Lauderdale, Florida
The Components of Xcipio
Access Function
Delivery Function
Collection Function
Provisioning
Internal Network Interface #1
Provisioning
INI-1
Handover Interface #1
HI-1
LEA
INI-2
Communication Data /
Signaling
Internal Network Interface #2
Xcipio
Data / Signaling
Handover Interface #2
INI-3
Media Content
Internal Network Interface #3
Service Provider
Domain
HI-3
Media Content
Handover Interface #3
Law Enforcement
Domain
January 23-26, 2007• Ft. Lauderdale, Florida
The Components of Xcipio
Database, supports User
Interface, maintains all
warrant
Intercept
information,
Engine:
creates
shared memory
Receives
call data,image
call of
intercept
events,
networkinformation
signaling,
INI-2LIS:
and HI-2
Signaling stacks (SIP,SS7),
TCP/IP stacks, error logs,
alarms, SNMP, Managed
object structure etc.
User Interface
Remote or local access to Xcipio
INI-1 Provisioning
Element
Database, User Interface
INI-2
Intercept Engine
PE-2200
Call data, call events, signaling
Software module
LIS – Lawful Intercept Server
IE-2100
Core Software Application
- real-time processing -
Software release
Physical Layer
Content Processor
Software module
LIS
Primary
Server
Sun servers, Ethernet connectivity,
IP packets, switch matrix cards
IP Packet processing
Content Processor
INI-3 Filters, encapsulates content
TDM Switch Matrix
CP-2300
Provisioning Element:
processing, routing,
replicating, identification,
encapsulation, encryption and
delivery of content (packet
and/or TDM voice) to law
enforcement in real-time.
Passive probe
Software module
(IP, VoIP, TDM, HTTP etc.)
January 23-26, 2007• Ft. Lauderdale, Florida
Summary
• SS8 has over 12 years of experience providing Lawful Intercept solutions
internationally both directly and through partners.
– Current customers include government agencies and carriers that
range from very large nationwide carriers to small rural carriers.
– We partner with many different network equipment vendors to
deliver comprehensive LI solutions.
• In the US there is a deadline (May 14, 2007) that is approaching quickly
and carriers need to address their obligations.
– Small carriers seem to be lagging in terms of meeting the deadline
so to address that need, SS8 is designing cost effective programs
to specifically for small carriers and enterprises.
– These programs address short term capital expenditures as well as
long term operating costs.
January 23-26, 2007• Ft. Lauderdale, Florida
Thank You
Scott W. Coleman
Dir. Of Marketing - LI
SS8 Networks
January 23-26, 2007• Ft. Lauderdale, Florida