North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: What's the best way to wiretap a network?
Scott C. McGrath On Tue, 20 Jan 2004, Eriks Rugelis wrote: > > Sean Donelan wrote: > > Assuming lawful purposes, what is the best way to tap a network > > undetectable to the surveillance subject, not missing any > > relevant data, and not exposing the installer to undue risk? > > 'Best' rarely has a straight-forward answer. ;-) > > Lawful access is subject to many of the same scaling issues which we > confront in building up our networks. Solutions which can work well for > 'small' access or hosting providers may not be sensible for larger scale > environment. > > If you have only a low rate of warrants to process per year, > and if your facilities are few in number and/or geographically close > together, > and if your 'optimum' point of tap insertion happens to be a link which > can be reasonably traced without very expensive ASIC-based gear > and if your operation can tolerate breaking open the link to insert the > tap, > and if the law enforcement types agree that the surveillance target is > unlikely to notice the link going down to insert the tap... > > then in-line taps such as Finisar or NetOptics can be quite sensible. > > If your operation can tolerate the continuing presence of the in-line tap > and you only ever need a small number of them then leaving the taps > permanently installed may be entirely reasonable. > > On the other hand, if your environment consists of a large number (100's) of > potential tapping points, then you will quickly determine that in-line taps > have very poor scaling properties. > a) They are not rack-dense > b) They require external power warts > c) They are not cheap (in the range of US$500 each) > d) Often when you have that many potential tapping points, you are > likely to be processing a larger number of warrants in a year. An in-line > tap arrangement will require a body to physically install the recording > equipment and cables to the trace-ports on the tap. You may also need to > make room for more than one set of recording gear at each site. > > Large-scale providers will probably want to examine solutions based on > support built directly into their traffic-carrying infrastructure (switches, > routers.) Using cisco's feature set on a uBR it would be cable intercept interface x/y <Target MAC> <Logging Server IP> <port> as an example of lawful access on infrastructure equipment > > You should be watchful for law enforcement types trying dictate a 'solution' > which is not a good fit to your own business environment. There are usually > several ways of getting them the data which they require to do their jobs. > > Eriks > --- > Eriks Rugelis -- Senior Consultant > Netidea Inc. Voice: +1 416 876 0740 > 63 Charlton Boulevard, FAX: +1 416 250 5532 > North York, Ontario, E-mail: [email protected] > Canada > M2M 1C1 > > PGP public key is here: > http://members.rogers.com/eriks.rugelis/certs/pgp.htm > > >
|