North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: What's the best way to wiretap a network?

  • From: Scott McGrath
  • Date: Tue Jan 20 12:19:37 2004


                            Scott C. McGrath

On Tue, 20 Jan 2004, Eriks Rugelis wrote:

>
> Sean Donelan wrote:
> > Assuming lawful purposes, what is the best way to tap a network
> > undetectable to the surveillance subject, not missing any
> > relevant data, and not exposing the installer to undue risk?
>
> 'Best' rarely has a straight-forward answer.  ;-)
>
> Lawful access is subject to many of the same scaling issues which we
> confront in building up our networks.  Solutions which can work well for
> 'small' access or hosting providers may not be sensible for larger scale
> environment.
>
> If you have only a low rate of warrants to process per year,
>    and if your facilities are few in number and/or geographically close
> together,
>    and if your 'optimum' point of tap insertion happens to be a link which
> can be reasonably traced without very expensive ASIC-based gear
>    and if your operation can tolerate breaking open the link to insert the
> tap,
>    and if the law enforcement types agree that the surveillance target is
> unlikely to notice the link going down to insert the tap...
>
>    then in-line taps such as Finisar or NetOptics can be quite sensible.
>
> If your operation can tolerate the continuing presence of the in-line tap
> and you only ever need a small number of them then leaving the taps
> permanently installed may be entirely reasonable.
>
> On the other hand, if your environment consists of a large number (100's) of
> potential tapping points, then you will quickly determine that in-line taps
> have very poor scaling properties.
> 	a) They are not rack-dense
> 	b) They require external power warts
> 	c) They are not cheap (in the range of US$500 each)
> 	d) Often when you have that many potential tapping points, you are
> likely to be processing a larger number of warrants in a year.  An in-line
> tap arrangement will require a body to physically install the recording
> equipment and cables to the trace-ports on the tap.  You may also need to
> make room for more than one set of recording gear at each site.
>
> Large-scale providers will probably want to examine solutions based on
> support built directly into their traffic-carrying infrastructure (switches,
> routers.)

Using cisco's feature set on a uBR it would be

cable intercept interface x/y <Target MAC> <Logging Server IP> <port>

as an example of lawful access on infrastructure equipment
>
> You should be watchful for law enforcement types trying dictate a 'solution'
> which is not a good fit to your own business environment.  There are usually
> several ways of getting them the data which they require to do their jobs.
>
> Eriks
> ---
> Eriks Rugelis  --  Senior Consultant
> Netidea Inc.                          Voice:  +1 416 876 0740
> 63 Charlton Boulevard,                FAX:    +1 416 250 5532
> North York, Ontario,                  E-mail: [email protected]
> Canada
> M2M 1C1
>
> PGP public key is here:
> http://members.rogers.com/eriks.rugelis/certs/pgp.htm
>
>
>