Name: Layer 7 Identity Mangement for Lawful Interception

Text: ixDPI Information eXtraction through Deep Packet Inspection

Layer 7 Identity Management for
Lawful Interception

Patrick Paul, VP Operation & Product Management, Qosmos
October 1st, 2008

A New Complex Situation Creates a Number of
!"allenges *o !orrec*ly I0en*ify Targe*s…
Internet
Gmail
Server

Salesforce
Server

YouTube
Server

LiveMail
Server

Home Location
Register (HLR)

DSLAM

Gateway GPRS
Support Node
(GGSN)

IP-based
GPRS /
UMTS
Network
Base
Station
System
(BSS)

3G Access Network

Serving
GPRS
Support
Node
(SGSN)

IP-based
DSL, FTTH
Network

BRAS

Alternate
Public Land
Mobile
Network

Authorization
Authentication
& Accounting
(AAA) Server

DSLAM

DSL Access Network

How do you accurately identify targets across multiple applications, multiple
physical locations, multiple terminals and multiple identities?
Page 2

Challenge #1: Identify Users across all Types of
Communications
New challenges for LEAs
People are no longer linked to
physical subscriber lines
The same person can communicate
in several ways
Example: VoIP, Instant Messaging,
Webmail, FTP, etc
How to launch interception across all
communication with a single trigger?

Answer
Identify users and intercept all type of
communication initiated by the same
user when a trigger such as .user 
login1 is detected
Identify Internet access point and
physical device of targeted user
Link trigger to IP address, MAC
address, IMSI, IMEI, etc.
Show all communication on the same
screen, in real-time: Webmail, Instant
Messaging, FTP, P2P, Financial
Transactions

1. Trigger = VoIP activity on
monitored user login

2. Link user login to:
-User MAC
-or IP address
-or IMSI

3. Intercept VoIP + Webmail
+ Chat from a particular
user on a certain PC or
mobile to a specific person
in real-time!
Page 3

Challenge #2: Need to Understand Different Applications
Behind The Same Protocol
HTTP is not only used by Web
browsing
HTTP is also used by: LiveMail,
Gmail, YahooMail,
GoogleEarth, GoogleMap,
Salesforce, iGoogle, mashups,
and hundreds of
other applications...

A user typically has different IDs in
different applications
Answer
Understand all the applications using
a particular protocol (such as HTTP)
Deep and stateful analysis of IP
packets
Connection context and session
management
Connection expiration management
IP fragmentation management
Session inheritance management
Page 5

Challenge #3: Ability to Recognize Regional Protocols

Targets may use regional
services for Webmail, Instant
Messaging, Social Networking,
etc.

Poland

Used by large a number of
people in local country and local
language
Targets can also use services
from outside their country of
origin, in local language or other
languages

Answer

China

Extend protocol expertise to
local Webmail, Instant
Messaging, Social Networking,
etc.

Page 6

Examples of Regional Protocols
Americas

EMEA

APAC

Hushmail
Lavabit
FuseMail
LuxSci
Trusty Box
Webmail.us
ATT webmail

Jubii
Mail.ru
O2 Webmail
Orange Webmail
Pochta.ru
Runbox
GMX Mail

QQ webmail + Chat
263 webmail

Meebo
VZOchat
BeeNut
Xfire

Mxit
Maktoob
Paltalk
Gadu-Gadu

fotolog
Bebo
Sonico
MiGente

Lunarstorm
PSYC
vkontakte.ru
Cloob
Grono.net

SOQ (Sohu) IM
POPO, IM
UC (Sina)
Fetion
NateOn
India Times webmail
Rediff.com
ZAPAK

Mixi
Taobao
naver.com
youku

Challenge #4: Many Applications have Evolved from their
Initial Use
Applications are used differently
than their originally intended
purpose
File transfer in Skype
Instant Messaging in WOW
Financial transactions in Second
Life
Use of .Dead Mailboxes1 within 
Webmail => shared storage
space and folders (same
login/password for different
users)

Skype file transfer

Answer
Understand real application
usage by correlating multiple
sessions and packets
Ensure a full view of application /
service / user, independently of
protocol

World Of Warcraft Instant Messaging

Page 8

Challenge #5: Recognizing Correct Identity Means Going
BEYOND OSI Reference Model
Users can easily hide their identity
New, complex communication
protocols do not follow OSI model
Examples: P2P, Instant Messaging,
2.5G/3G (GTP), DSL Unbundling,
(L2TP), VPN (GRE), etc.

Protocols are frequently
encapsulated
Example: multiple encapsulations in
an operator DSL network (ATM /
AAL5 / IP / UDP / L2TP / PPP / IP /
TCP / HTTP)

Answer
Extract user identity information in
real-time, independently of OSI
model and dig into encapsulation
within several complex IP layers
Qosmos protocol graph

Page 9

Example of User Identification within a Tunneled
Protocol: L2TP

It is important to
accurately identify
encapsulated protocols
such as L2TP (Layer 2
Tunnel Protocol)
This enables the tracking
of VPN connections
between remote
employees and
enterprise networks

L2TP Tunnel

Remote worker

Authentication
& Authorization

Authentication
& Authorization

Corporate
Headquarters

Page 10

Challenge #6: Not Possible to Rely on IANA Ports to
Track Applications and Users
Applications can no longer be
linked to specific ports
Port :0 boulevard1
Skype runs on port 80, port
443, or on random ports
RTP does not use predefined
ports
SIP negotiates and defines the
ports used for data
communication (RTP)

Skype Connection Preferences

Answer
Inspect complete IP flows
rather than .packet by packet1
Track control connections: e.g.
FTP data, SIP/RTP or P2P
traffic
Ensure a full view of application
/ service / user independently
of protocol

Page 11

Challenge #7: Adapt Rapidly to New Protocols
Difficult to handle an increasing
numbers of protocols with dedicated
ASICs
Long development times (MONTHS)
Limited flexibility

Answer
Use a software-based approach,
ensuring greater flexibility, easy
updates and short development time
(DAYS)
Shorten lead times to answer quickly
to mounting threat patterns
Ensure high packet processing
performance by using the latest
standards-based, multi-core
architecture
Make the software portable across
different hardware platforms

!

Appliances, routers, IP DSLAMs,
GGSNs, Set-Top-Boxes, PCs, etc.

Page 12

A Short Illustrative Demo

Page 13

A Short Illustrative Demo

Page 14

A Short Illustrative Demo

Page 15

A Short Illustrative Demo

Page 16

A Short Illustrative Demo

Page 17

A Short Illustrative Demo

Page 18

A Short Illustrative Demo

Page 19

A Short Illustrative Demo

Page 20

A Short Illustrative Demo

Page 21

Qosmos Legal Intercept Solutions
Provisioning

Provisioning

Communication
Data / Signaling

Communication
Data / Signaling

Media Content

Packet Acquisition

CDRs Database
& Traffic recording
for replay
transcoding

Media Content

Application transcoding

LEA

Qosmos and its integrator partners offer a complete interception solution
including:
Flow classification
Applicative classification
Information extraction
Selective recording
Application transcoding (mail, etc.)
Visualization

Page 22

Summary: It Is Possible To Accurately Identify Users!

Internet
Gmail
Server

Salesforce
Server

YouTube
Server

LiveMail
Server

Home Location
Register (HLR)

DSLAM

Gateway GPRS
Support Node
(GGSN)

IP-based
GPRS /
UMTS
Network
Base
Station
System
(BSS)

3G Access Network

Serving
GPRS
Support
Node
(SGSN)

IP-based
DSL, FTTH
Network

BRAS

Alternate
Public Land
Mobile
Network

Authorization
Authentication
& Accounting
(AAA) Server

DSLAM

DSL Access Network

SPECIAL OFFER: Get your free evaluation of ixEngine at the Qosmos booth!
Page 23

Qosmos, Q-Work, Qosmos ixMachine, Qosmos ixEngine are trademarks and registered trademarks in France and other countries. Copyright Qosmos 2008

Document Path: ["37-200810-iss-prg-qosmos.pdf"]

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh